Facebook Campaign enables us to measure response and retarget from campaigns we run on Facebook and Instagram

Specific purposes

The council has a wide range of purposes for which we gather data, all aimed at providing you the best possible service. A large number of these purposes are listed below. If a service is not listed this is because it only retains data relevant to delivery which is not sensitive. For services not noted a retention period for your data of seven years may be assumed. Some parts of these notices have been provided by third parties and therefore may repeat information elsewhere in this notice.

Enfield Adoption Service is committed to protecting the privacy and security of your personal information. The adoption service privacy notice (PDF) describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the data protection legislation. This applies to all users of our adoption service.

Enfield Council rents allotments to people who wish to use them for growing of vegetables, fruit and flowers. The Council keeps records of contact details, rent payments, issues with the allotment and details allowing discount. All are kept until the end of tenancy plus seven years as required for records involving financial details.

Enfield Council processes asbestos samples on its own behalf, on behalf of other organisations and members of the public on request. The data relating to these samples is kept for 20 years including the details of the requestor.

Enfield Council operates CCTV systems across the borough for the purposes of prevention and detection of crime under Section 115 of the Crime and Disorder Act 1998. New camera requests follow the surveillance camera code of practice. Image data is retained for 31 days unless an incident occurs. Data is retained as long as is required for evidence if an incident occurs.

Enfield Council keeps records of contractors working in cemeteries in connection with cemetery operations, funeral directors, memorial masons etc. This is a legal requirement under the Local Authorities Cemeteries Order 1977 (amended 1986) and associated regulations.

Enfield Council wants its citizens to be aware of services that may be useful to them, and to encourage local events and culture. We operate an opt-in email mailing list for this purpose; citizens may opt in or out at any time by visiting our website. We also respond to social media queries; we do not retain data on social media accounts. Please see the privacy statements of the social media providers for more detail. Enfield Council also keeps details on voluntary and community organisations (“third sector”) including contact details for people in these organisations so that we can contact them with relevant information. Consent is obtained for this annually via email/letters and completion of form template.

The Complaints and Information Service acts as the gateway to the council for complaints, consultations, Environmental Information requests, Freedom of Information requests, Subject Access requests and general information requests. Data is held in order to complete your request or complaint and for the purposes of internal performance reporting. The retention period of each type of data can be found in our retention policy (PDF).

If you apply for a Blue Badge, Freedom Pass, Taxi Card or Brown Badge we keep data about you in order to service the request and to prove eligibility. This includes your contact details, your National Insurance Number, your date of birth, your benefits entitlement and details of your disability, including evidence from others verifying the data given. This data is used only for this purpose and is removed when you no longer claim the travel concession.

The Council Tax Regulations and Local Government Finance Act 1992 and the Non-domestic rating Regulations 1989 allow for local authorities to collect and administer Council Tax and Business Rates.

The information we collect and process for this purpose includes:

  • Your name, address, email address and phone number for Council Tax liability
  • The start date of residency
  • The date you left your previous address
  • If you are a tenant or the owner of the property
  • If you are the owner of more than one address
  • Your household make up for Council Tax liability to accurately apply discounts, exemptions and disregards
  • Banking and payment details
  • Your property attracting Council Tax or Business Rate liability
  • Your business name and mailing address

We also collect the following information for the purposes of debt collection:

  • Your household income and expenditure
  • Your National Insurance number
  • Your capital and assets held
  • Your employment details

We have a duty to protect the public funds we administer and may use information held about you for all lawful purposes, including the prevention and detection of fraud. The Council may also share this information with law enforcement agencies and other bodies responsible for auditing or administering public funds for these purposes.

Your data will be kept for at least seven years as required by law and is not generally removed unless you are no longer resident in the borough.

The council has a duty to protect public funds and as such will use measures to ensure that monies it owes are collected.

If we notify you that you owe us money, and you are having difficulties paying, please contact us so we can try to help.

If you do not pay, we can use various methods to pursue payment. These include obtaining information via public sources, sharing with other government organisations, referencing/tracing agencies and private sector debt collectors.

We are legally required to make some debt collections (e.g. Council Tax) and therefore the legal basis for processing is GDPR Article 6 1(c) - processing is necessary for compliance with a legal obligation to which the controller is subject.

Some debt accumulated is not a legal obligation but may be contractual and covered by GDPR Article 6 1(b) - received chargeable services from us and not paid for them.

Some further debts are accumulated by default by the data subject leading to a debt to the public purse, for example, unpaid utility bills which then become the liability of the council.

It in the public interest to collect these to avoid detriment to the public purse and therefore covered by GDPR Article 6 1(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

What is the purpose for collecting your data?

Electoral Services are responsible for producing the electoral register. This is a list of all people who are eligible to vote in elections in the borough of Enfield. The law requires us to share the data with various agencies and parties. Electoral Services are also responsible for managing elections in the borough. This involves using the data to enable people to vote, and to enable parties and candidates to participate. We collect personal data from our residents to enable us to carry out these functions and all functions are performed in the public interest.

The Council appoints an Electoral Registration Officer (ERO) and a Returning Officer (RO) who has the legal powers to collect this data.

Laws that govern the collection and use of this data

The following lists all primary and secondary legislation relevant to the collection, processing and retention of personal data:

  • Electoral Administration Act 2006
  • Electoral Administration Act 2013
  • European Parliamentary Elections (Registration of Citizens of Accession States) Regulations 2003
  • European Parliamentary Elections Regulations 2004
  • European Parliamentary Elections (Amendment) Regulations 2009
  • Greater London Authority Elections Rules 2007
  • Greater London Authority Elections (Amendment) Rules 2012
  • Local Authorities (Mayoral Elections) (England and Wales) Regulations 2007
  • Local Elections (Principal Areas) Rules 2006
  • Local Government Act 1972
  • Neighbourhood Planning (Referendums) Regulations 2012
  • Police (Scotland) Regulations 2004
  • Representation of the People Act 1983
  • Representation of the People (England and Wales) Regulations 2001
  • Representation of the People (England and Wales) (Amendment) Regulations 2002 and 2006
  • Representation of the People (England and Wales) (Amendment) (No 2) 2006
  • Representation of the People (England and Wales)/(Scotland) (Amendment) Regulations 2014
  • The Local Authorities (Mayoral Elections) (England and Wales) (Amendment) Regulations 2011
  • The Local Elections (Principal Areas) (England and Wales) (Amendment) Rules 2011

Purpose for collecting your name, address, date of birth, nationality and national insurance number

We are legally required to collect this information so we can determine if you are eligible to vote and to record you as a legitimate voter. The national insurance number is removed as soon as we determine your application. We share this data with the government office which provides the Individual Electoral Registration Digital Service. They check the data against other government records to determine its legitimacy. Find out more about privacy when registering to vote.

What other data do we collect?

We also collect data on electoral registration and election staff so we can employ them to conduct electoral duties. Political parties and candidates are required to provide information when they wish to stand for election. Again, electoral law determines what data we have to request and how long we retain it.

Who do we share the data with?

The information you provide is held in electoral registers which are managed by electoral registration officers who, using information received, keep two registers – the full electoral register and the open (edited) register.

The full register is published once a year and is updated every month and can only be supplied to the following people and organisations:

  • Boundary Commission for England
  • Candidates standing for elections
  • Credit Reference Agencies
  • Electoral Commission
  • Elected Representatives (MP, MEPS, Local Councillors)
  • Government departments or bodies
  • Jury Summoning Bureau
  • Local and National Political Parties and Registered Campaigners
  • National Fraud Initiative
  • Parish and Community councils
  • Partner Electoral Registration and Returning Officers
  • Police and Crime Commissioner
  • Police Forces and the National Crime Agency
  • Public Library or local authority archive services
  • Statistics Authority
  • The Council

We also have to disclose (share) your information with our Software providers and contracted printers for the purposes of carrying out our duties of electoral registration and elections.

It is a crime for anyone who has a copy of the full register to pass information from this register on to others, if they do not have a lawful reason.

The full register

The full register contains data on all registered electors. Anyone can inspect the full electoral register under supervision. They can take extracts from the register, but only by hand written notes. Information taken must not be used for direct marketing purposes, in accordance with data protection legislation, unless it has been published in the open version of the register. Anyone who fails to observe these conditions is committing a criminal offence and may be charged a penalty of up to £5,000.

The open register

The open register contains the same information as the full register, but is not used for elections or referendums. It is possible to opt-out of the Open Register. It is updated and published every month and can be sold to any person, organisation or company for a wide range of purposes. It is used by businesses and charities for checking names and address details; users of the register include direct marketing firms and also online directory firms.

You can choose whether or not to have your personal details included in the open version of the register; however, they will be included unless you ask for them to be removed. Removing your details from the open register will not affect your right to vote.

How long do we hold your data?

The Electoral Registration Officer and Returning Officer are obliged to process your personal data in relation to preparing for and conducting elections. Your details will be kept and updated in accordance with our legal obligations and in line with statutory retention periods. For a copy of our Retention Policy please contact us directly.

Your rights

You are entitled to request a copy of any information about you that we hold. Any such requests must be made in writing. If the information we hold about you is inaccurate you have a right to have this corrected and you have the right to request completion of incomplete data.

You have the right to request the deletion of your personal data in certain circumstances (‘right to be forgotten’). You have the right to request that we stop, or restrict the processing of your personal data, in certain circumstances. Where possible we will seek to comply with your request, but we may be required to hold or process information to comply with a legal requirement.

If you are dissatisfied with how the Electoral Registration Officer/Returning Officer have used your personal information you have a right to complain to the Information Commissioner's Office.

The collection and provision of your data is a statutory requirement

The Electoral Registration Officer and Returning Officer are required to keep a record of your personal data in order to comply with the Representation of the Peoples Act 1983, Electoral Registration and Administration Act 2013, Representation of the People Regulations 2001 and Electoral Registration (Disclosure of Electoral Registers) Regulations 2013.

Enfield Council has responsibilities under the Civic Contingencies Act 2004 to be prepared for emergencies and able to react to them. This requires us to keep data on our employees for emergency contacts, but also employees of other organisations required for emergency preparedness. Consent is obtained at the time of requesting the contact. Currently organisations include, but are not limited to Metropolitan Police, London Fire Brigade (LFB), London Ambulance Service (LAS), the Military, the NHS, Clinical Commissioning Groups, Environment Agency, Thames Water, British Red Cross, Voluntary Sector Representatives, representatives of organisations offering emergency rest centres and Highways Agency.

Before we provide services, goods or financing to you, we undertake checks for the purposes of preventing fraud and money laundering, and to verify your identity. These checks require us to process personal data about you.

The personal data you have provided, we have collected from you, or we have received from third parties will be used to prevent fraud and money laundering, and to verify your identity.

Details of the personal information that will be processed include, for example: name, address, date of birth, contact details, financial information, employment details, device identifiers including IP address and vehicle details.

We and fraud prevention agencies may also enable law enforcement agencies to access and use your personal data to detect, investigate and prevent crime.

We process your personal data on the basis that it is necessary in the public interest or in exercising official authority for us to prevent fraud and money laundering, and to verify identity, in order to protect ourselves and to comply with laws that apply to us.

Fraud prevention agencies can hold your personal data for different periods of time, and if you are considered to pose a fraud or money laundering risk, your data can be held for up to six years.

As part of the processing of your personal data, decisions may be made by automated means. This means we may automatically decide that you pose a fraud or money laundering risk if our processing reveals your behaviour to be consistent with money laundering or known fraudulent conduct, or is inconsistent with your previous submissions, or you appear to have deliberately hidden your true identity. You have rights in relation to automated decision making: if you want to know more please contact us using the details at Other Important Privacy Information.

Consequences of processing

If we, or a fraud prevention agency, determine that you pose a fraud or money laundering risk, we may refuse to provide the services or financing you have requested, or to employ you, or we may stop providing existing services to you.

A record of any fraud or money laundering risk will be retained by the fraud prevention agencies, and may result in others refusing to provide services, financing or employment to you. If you have any questions about this, please contact us on the details above.

Data transfers

Whenever fraud prevention agencies transfer your personal data outside of the European Economic Area, they impose contractual obligations on the recipients of that data to protect your personal data to the standard required in the European Economic Area. They may also require the recipient to subscribe to ‘international frameworks’ intended to enable secure data sharing.

Your rights

Your personal data is protected by legal rights, which include your rights to object to our processing of your personal data; request that your personal data is erased or corrected; request access to your personal data.

For more information or to exercise your data protection rights, please contact us using the contact details at Other Important Privacy Information

You also have a right to complain to the Information Commissioner’s Office which regulates the processing of personal data.

If you enquire about or apply for a grant under the Housing Grants, Constructions and Regulations Act 1996 and Regulatory Reform (HA) Order 2002, we will keep data relating to this purpose and to offer you a grant should you be eligible. Data is currently kept for at least seven years.

We are participating in a national homelessness research project called Homelessness Case Level Information Collection (H-CLIC). View the privacy information regarding this purpose below:

Purposes for which data held

The sharing of data gathered for H-CLIC is for research purposes only and aims to provide central government departments, local public services and delivery partners with valuable information about the cycle of homelessness and its impact on outcomes, as well as the impact and cost benefit of interventions and services targeted at reducing homelessness.

Nature, scope, context and purposes of processing

The project involves sharing personal identifiers and personal data between local authorities and MHCLG. The personal identifiers provided by local authorities will be processed by ONS (MHCLG’s trusted third party processor) to create an ONS identifier (ONS ID) that can be used to link together H-CLIC Data submissions over time and across local authority boundaries.

Who are the data subjects?

"The data subjects are residents of Enfield Known to Housing Services and their families. In the future it is hoped that the data can also be linked to other datasets, such as Rough Sleeping Questionnaire (RSQ), The Troubled Families Evaluation Dataset, and data from other Government Departments (OGDs), such as Ministry of Justice, Department for Education and Department for Work and Pensions/Her Majesty’s Revenue and Customs and health agencies (NHS Digital and Public Health England). The resulting dataset created for this project will be shared with ONS (in a de-identified form) to be made available to bona fide academics in the Secure Research Service (SRS).

ONS (as the data processor) will use the personal identifiers (referred to as H-CLIC PI) gathered from local authorities to create a look-up table of unique identifiers (ID numbers) to facilitate the matching of attribute data (including H-CLIC attribute data, the rough sleeping questionnaire and data from other government departments. The look-up table contains ID numbers only and no personal identifiers. The project and the look-up table have been designed to ensure the attribute data is pseudonymised (de-identified) at the earliest opportunity and staff analysing the attribute data do not know the identity of data subjects – organisational measures have been put in place to protect the anonymity of data subjects, including separation of roles for each organisation (MHCLG and ONS), separation of duties for staff and measures to ensure the identifiable data (H-CLIC PI data) is handled separately to any attribute data (e.g. H-CLIC attribute data).

For this project, MHCLG and local authorities are independent data controllers and ONS is the trusted third-party data processor acting on behalf of MHCLG.

Data sharing will take place between local authorities and national public bodies and data sharing agreements will be agreed between MHCLG and each party. The data gathered for the project will be de-identified to allow use for research only. "

Is this sharing necessary?

Data sharing is necessary to observe the effectiveness of Homelessness Programmes and the Homelessness Reduction Act 2017 on a wide range of different outcomes that it aims to affect, spanning the remit of different Government Departments and to control for household and individual characteristics.;

Do you have explicit, written and freely given consent for each type of processing?

Not applicable

State when and how written consent is obtained

Not applicable

Under what legal basis are you processing?

The Homelessness Reduction Act 2017 (the 2017 Act) significantly reformed England’s homelessness legislation by placing duties on local authorities to intervene at earlier stages to prevent homelessness in their areas. It also requires housing authorities to provide homelessness services to all those affected, not just those who have ‘priority need’. The 2017 Act was fully in force by 3rd April 2018. Hence the legal basis will be GDPR Article 6 1(c) – legal requirement on the controller and 6 1(e) public task.

Where the personal data to be processed is special category data (sensitive personal data) it will be possible to rely on Article 9(2)(g) of the GDPR. MHCLG will rely on meeting the condition in Schedule 1, Part 2, paragraph 6 of the DPA 2018 in order to process special category personal data in accordance with section 10(3) of the DPA 2018.

Article 9(2)(g) allows for the processing of special category data where it is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject/individual.

A DPA has been signed between Enfield and the MHCLG for the quarterly on-going supply of H-CLIC personal identifiers and attribute data to the Ministry for Housing, Communities and Local Government. This data share will facilitate the linking of homelessness and other data sources to improve the evidence of the causes of homelessness as well as the factors associated with better outcomes. 

Are any of the data subjects under 13?


If so, how are you obtaining parental consent for processing? If no consent, what is the legal basis?

Not required as covered by The Homelessness Reduction Act 2017 (the 2017 Act) hence legal basis is as above.

How long is the data retained for after processing?

Retention of Data follows national guidelines.

Why are we collecting this data?

Understanding more about what causes homelessness and how well homelessness services meet peoples’ needs

This research is being carried out by the Ministry of Housing, Communities and Local Government (MHCLG).

What's the aim of this study?

By carrying out this research, MHCLG aims to find out whether:

  1. Housing services prevent homelessness
  2. People return for help and/or move regularly
  3. Homelessness programmes, such as Housing First, reduce homelessness
  4. There are other causes of homelessness and outcomes, such as poor health

To do this, MHCLG wants to link information about you and others in your household together with other information, including your homelessness application and past and future information on your use of services and benefits.

MHCLG will use your personal information - name, date of birth, gender, last known address, National Insurance number (if known) - to gather the right data held by other government agencies. Any information you provide will not be used to make any decisions about what benefits you get, services you use, now or in future, or used to identify fraud.

Whose data are you collecting?

We want to collect data on all people asking for help with homelessness.

What's involved?

At your assessment you will be asked questions about:

  • your experiences of homelessness
  • your support needs
  • whether you have spent time in local authority care, and your current employment status

What will happen to the information provided?

Your information will only be used for research and will be anonymised so the researchers will not know whose data they have.

Your local authority will send your information to MHCLG using a secure IT system.

Your personal information (name, date of birth, gender, last known address) will be used to identify data collected as part of your assessment and linked to information held by other government departments:

  • Department for Work and Pensions (DWP) – to see what benefits you have received and whether you have been employed
  • Ministry of Justice (MOJ) – to see what contact you may have had with the criminal justice system
  • Department for Education (DfE) – to see when your child has been in school, how well they are doing at each Key Stage and whether they are a Child in Need

Your information will be kept strictly confidential. Your name, date of birth, gender, address and National Insurance number will be kept separately from all the other information in a secure, password-protected document on a computer system. You will be assigned a unique reference number, so that even though a researcher will see all your information, they will not be able to know it is you.

How long will my information be kept for?

DWP, DfE and MOJ will only keep your personal information for a month and will not keep records showing you were part of this research.

MHCLG will keep your personal information for five years.

We will only use your data within the terms of data protection laws, will delete your data securely and only keep it for as long as necessary. We will review dates for keeping personal data in the future and if necessary update these privacy notices.

To legally share data for this research, local authorities and MHCLG will rely on the Digital Economy Act 2017.

The collection of personal information by MHCLG for this project is compliant with data protection legislation.

Your local authority will collect your personal data under the public task basis (in this case to provide housing services) and agree to share this data with MHCLG under the public task basis (in this case to reduce homelessness).

MHCLG will rely on the following reasons for processing personal data and additional special category data below:

  1. Lawful basis for processing personal data under Article 6 GDPR

The processing is necessary for this reason:

  1. Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  1. Additional condition for processing special category data under Article 9(2) GDPR

Special category personal data may be processed if:

(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;

  • The DPA 2017 will provide a lawful basis to process criminal offence data (as required by Article 10 GDPR).

What are my rights?

You can talk to your local authority about whether your data is being used for this project without it affecting your legal rights or routine care. You can also see copies of all the data MHCLG hold about you and ask for it to be corrected or deleted.

What if I want more information?

If you want more information you can ask a member of staff. You can also contact MHCLG’s Knowledge and Information Team about seeing your data or withdrawing from the research.

If you are unhappy with the way your personal information is being handled you can contact the independent Information Commissioner.

What will happen to the results of this research?

The final results of this research will be published on the main government website. You will not be identified in any research report.

If you come to us for housing services, including sheltered housing and homelessness, we will collect data such as name, address, date of birth, medical information, income and expenditure, schooling, work and family composition in order to assist us in the allocation of emergency/temporary accommodation or affordable longer term accommodation. This work is carried out under the Housing Act 1996. We retain the data about you in accordance with our retention policy (PDF) – the length of time it is retained depends on your needs and the type of tenancy you receive.

The information we hold, and the information provided to us by the Department for Work and Pensions (DWP) is required for the calculation of your Housing Benefit and Council Tax Support claim.

We receive personal information from yourself via your on-line application form, from the DWP, HMRC and from landlords.

The information collected includes:

  • Your name, address and date of birth
  • Your financial information, including earnings and savings
  • Your household details
  • Your financial circumstances
  • Your National Insurance number
  • Your landlord details
  • Your immigration status

We have a duty to protect the public funds we administer and may use information held about you for all lawful purposes, including the prevention and detection of fraud. The Council may also share this information with law enforcement agencies and other bodies responsible for auditing or administering public funds for these purposes.

Your data will be kept for a period of seven years from the end of your claim.

Enfield Council keeps a wide range of information for the prevention and detection of crime under various acts including the Crime and Disorder Act 1998 and the Fraud Act 2006. Data held for these purposes are exempt from certain provisions of the GDPR by the Data Protection Act 2018 section 15 and Schedule 2 Part 1.

For more information on fraud prevention, visit Fraud detection and prevention.

If you sign up to our library service, we keep data on you to enable us to contact you, to record items you have used/borrowed from the library. We keep this data for one year after your last interaction with us, unless you have outstanding fines in which case your record is kept until the fine is paid.

Enfield Council has a duty to protect the public funds we administer.

To help do this, and to prevent and detect fraud, we share information with the Cabinet Office, who is responsible for carrying out the National Fraud Initiative data matching exercise.

Data matching

Data matching involves comparing computer records held by one body against other computer records held by the same or another body, to see how far they match. This is usually personal information.

Computerised data matching allows potentially fraudulent claims and payments to be identified. If a match is found, it may show that there is an inconsistency which needs to be investigated. No assumption can be made as to whether there is fraud, error or other explanation until an investigation is carried out. Matching also helps to keep records up to date and accurate.

Types of data provided by Enfield Council for this purpose may include:

  • payroll and pensions
  • housing data, including tenancy, right to buy and housing register
  • Council Tax
  • Council Tax Reduction Scheme
  • Housing Benefit
  • Electoral Register
  • residents parking permits
  • concessionary travel records
  • creditors
  • business rates

The use of data by the Cabinet Office in a data matching exercise is carried out with statutory authority under Part 6 of the Local Audit and Accountability Act 2014.

Please note this doesn't require the consent of the individuals concerned under the GDPR and the DPA 2018.

See the Cabinet Office’s National Fraud Initiative for more information, including their National Fraud Initiative data privacy notice and code of practice.

If you have any questions about this exercise, contact our Counter Fraud Team by emailing fraud.team@enfield.gov.uk.

If you are receiving support from adult social care then the NHS may share your NHS number with adult social care. This is so that the NHS and adult social care are using the same number to identify you whilst providing your care. By using the same number the NHS and adult social care can work together more closely to improve your care and support.

Your NHS number is accessed through an NHS service called the Personal Demographic Service (PDS). Adult social care sends basic information such as your name, address and date of birth to the PDS in order to find your NHS Number. Once retrieved from the PDS the NHS Number is stored in the Council’s adult social care case management system.

These data are retained in the adult social care system in line with the Council’s record retention policies. These policies are in accordance with the Data Protection law, Government record retention regulations and best practice. Further information is available on our policies and procedures.

In terms of the Data Protection Act the Council is both the Data Controller and the Data Processor.

The NHS Number then has two uses, the first being a unique identifier to allow Social Care information to be displayed in the Council’s adult social care case management system, for the provision of direct care. We will also use this Number in an integrated care record system across a number of support services including GP’s, hospitals, community matrons, district nurses and social care practitioners.

The Council will share information only to provide health and social care professionals directly involved in your care access to the most up-to-date information about you. It will do this by sharing appropriate information between health and social care services at the time of patient contact. Access to information is strictly controlled, based on the role of the professional. For example, social workers will only have access to information that is relevant to the execution of their care duties.

The Council’s IT security and confidentiality policies ensure that your information is protected, and available only to staff directly involved in your care. These policies are available on our policies and procedures.

The use of joined up information across health and social care brings many benefits. One specific example where this will be the case is the discharge of patients into social care. Delays in discharge (commonly known as bed blocking) can occur because details of social care involvement are not readily available to the staff on the hospital ward. The hospital does not know who to contact to discuss the ongoing care of a patient. The linking of social care and health information via the NHS Number will help hospital staff quickly identify if social care support is already in place and who the most appropriate contact is. Ongoing care can be planned earlier in the process, because hospital staff will know who to talk to.

The addition of the NHS Number to social care data will bring additional benefits:

  • Better coordinated and safer care across health and social care enabled through the sharing of real-time information.
  • Better coordination of discharges from hospital into social care, as explained above.
  • More time to spend on planning and coordinating social care because health staff can identify and involve social care staff earlier in the process.
  • Earlier intervention to maximise the opportunities or reablement services leading to greater independence for patients.
  • Less paperwork and more efficient use of social care resources.

You have the right to object to the processing of your NHS Number in this way. This will not stop you from receiving care, but will result in the benefits outlined above not being realised. To help you decide, we will discuss with you how this may affect our ability to provide you with care, and any other options you have.

If you wish to opt-out from the use of your NHS Number for social care purposes, please talk with your social worker.

Aon Hewitt Limited ("Aon") has been appointed to provide pensions advisory and calculation services that relate to your membership of the Fund. In doing so Aon will use personal information about you, such as your name and contact details, information about your pension contributions, age of retirement, and in some limited circumstances information about your health (where this impacts your retirement age) in order to be able to provide these services.

The purposes for which we use personal information will include management of the Fund and your membership within it, funding (i.e. helping to ensure that the funds held within the Fund are sufficient to cover the members who are party to it), liability management (that is to say providing advice on the different ways benefits could be determined, and drawn, from the Fund), Fund Actuary duties (which include assessing individuals who are members of the pension scheme and assessing how the make-up of the membership may affect the amounts payable and when they become payable so as to manage the Fund appropriately), regulatory compliance, process and service improvement and benchmarking.

We may pass your personal information to third parties such as financial advisors and benefits providers, insurers, our affiliates and service providers and to certain regulatory bodies where legally required to do so. Depending on the circumstances, this may involve a transfer of data outside the UK and the European Economic Area to countries that have less robust data protection laws. Any such transfer will be made with appropriate safeguards in place.

More detail about Aon’s use of your personal information is set out in our full Privacy Notice. You can also request a copy by contacting us, including reference to the Fund name, at: Data Protection Officer, Aon Hewitt Limited (Retirement and Investment UK), PO Box 730, Redhill, RH1 9FH

If you supply goods or services to the council, we keep records of this supply including your contact details, contract details, purchase orders made, goods/services/invoices received, bank details for payment purposes and records of contacts made. These are kept for seven years after your last interaction with the council.

From 1 April 2013, local authorities were given a new duty to improve the health of their residents.

The Public Health team in a local authority is required to commission and manage certain Public Health services for residents, and provide advice and intelligence about health and wellbeing to help the Council, NHS and other partners plan services that meet the needs of the people of Enfield. To fulfil this function, the Enfield Public Health team uses data and information from a range of sources.

The Enfield Public Health team has a legal status allowing the processing of Personal Confidential Data for Public Health purposes. The use of such data will be restricted so that the principles contained in the Data Protection Act 1998 are fully adhered to. The legal basis is section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

The data we collect

The Enfield Public Health team collects and holds information for public health purposes about:

  • residents of Enfield
  • people receiving health and care services in Enfield
  • people who work or attend school in Enfield

all to whom it has a public health duty of care.

This information includes;

  • information from birth and death certifications (personal identifiable information from NHS Digital used for public health purposes)
  • information about the provision of Public Health related services including:
    • immunisations
    • control of infection
    • drug and alcohol treatment services
    • sexual health services
    • 0-5 Health Visiting and Family Nurse Partnership services
    • school nursing services
    • National Child Measurement Programme
    • lifestyle and behaviour change services
    • cancer screening
    • other screening programmes
    • public health initiatives
  • information about lifestyle behaviours, including data collected from surveys
  • information about disease incidence and prevalence, including cancer registrations,
  • information on other health issues such as blood pressure and diabetes,
  • information about health and social care use, including
  • GP services
  • Hospital services
  • NHS community services
  • Mental health services
  • Social care services
  • Geographical codes such as postcodes for analyses of health inequalities

Types of information we use

We work with many types of data to be able to promote health and support improvements in the delivery of health and care services in Enfield. We can describe the data as follows:

  • Personal Identifiable data (PID) – this is personal data that can identify individuals, such as name, date of birth, gender, address, postcode and NHS number.
  • Pseudonymised data – this contains information about individuals but with the identifiable details replaced with a unique code.
  • Anonymised data – All identifying details are anonymised so individuals can not be identified.
  • Aggregated data – This is data that has been grouped together so that it doesn’t provide information on individuals, only groups of people.

Why do we collect this information and how do we use it?

Enfield Public Health team uses personal identifiable information about residents and users of health care, to enable it to carry out specific functions for which it is responsible, such as:

  • control of infection
  • management of risks to public health
  • organising the National Child Measurement Programme
  • organising the NHS Health Check Programme
  • organising and supporting the 0-5 health visiting and Family Nurse Partnership Services and school nursing services
  • organising sexual health services
  • organising drug and alcohol treatment services.

The Public Health team also uses the information to derive statistics and intelligence for assessments and planning purposes, which include:

  • producing assessments of the health and wellbeing needs of the population, in particular to support the statutory responsibilities of the:
    • Joint Strategic Needs Assessment (JSNA)
    • Director of Public Health Annual report
    • Health and Wellbeing Strategy
    • Pharmaceutical Needs Assessment
  • identifying priorities for action
  • informing decisions on (for example) the design and commissioning of services
  • to assess the performance of the local health and care system and to evaluate and develop them
  • to report summary statistics to national organisations
  • undertaking equity analysis
  • to support clinical audits, for example deaths from suicide or childhood deaths
  • to provide intelligence to aid the Council in its duty to protect and improve the health of the population

These statistics are presented in such a way that individuals cannot be identified from them and personal identifiable details are removed as soon as is possible in the processing of intelligence.

How do we collect this information?

This information is collected in two ways:

It may be provided to us directly by a member of the public when they sign up to use a service we are providing.

It may be shared with us by another organisation due to us being part of a service they are providing, or as part of research and intelligence necessary for Public Health functions, such as informing decisions on the design and commissioning of services. This will include organisations such as Office for National Statistics, NHS Digital, national, regional and local NHS bodies, Clinical Commissioning Group, local authorities and schools.

How do we keep our information secure and who do we share it with?

We are required to comply with data protection regulations to ensure information is managed securely and this is reviewed every year as part of our NHS Information Governance Toolkit assessment.

Any personal identifiable data is sent or received using secure email. All data is stored electronically on secure equipment and is managed using the principles of medical confidentiality and data protection. The number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all who of whom undertake regular training about data protection and managing personal information.

Confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations, once the necessary legal basis has been established and data protection safeguards have been verified, so that the data is managed and used under the same restrictions. Anyone who receives information from Enfield Council Public Health is also under a legal duty to keep it confidential.

In relation to births, deaths and hospital episode statistics, the data will only be processed by Local Authority employees in fulfilment of their public health function, and will not be transferred, shared, or otherwise made available to any third party, including any organisations processing data on behalf of the Local Authority or in connection with their legal function.

We only keep hold of information for as long as is necessary. This will depend on what the specific information is and the agreed period of time. Data is permanently disposed of after this period, in line with Enfield Council’s  retention policy (PDF)  or the specific requirements of the organisation who has shared the data with us.

How to opt out

You have the right to opt out of Enfield Council Public Health receiving or holding your personal identifiable information. There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues. The process for opting out will depend on the specific data is and what programme it relates to. For more information, email complaintsandinformation@enfield.gov.uk.

Where to find further information

The Council is registered as a Data Controller with the Information Commissioner’s Office (Registration Number Z5492012) under the Data Protection Act. Further details about how the Council processes personal data can be found in our registration via the Information Commissioner’s Office. You can also view the Council’s NHS Information Governance Toolkit status.

The Registrars service in Enfield has a separate Data Protection registration from the council. The service holds details of births, marriages and death as required by the various acts. This is a statutory service and all data held is in line with the statutes, specifically the Births and Deaths Registration Act 1953, the Marriage Act 1949 and The Register of Marriage Regulations 2015.

The council is required to provide services for a wide range of regulation enforcement and delivery services including, but not limited to:

  • abandoned vehicles
  • accidents at work
  • anti-money laundering
  • community WC scheme
  • food licensing
  • infectious disease control
  • private sector housing
  • public nuisance issues
  • public heath funerals

Each of these services is either covered by a legal basis in legislation and therefore does not require a consent, or is a service which people request and therefore give consent at that point. Many users are companies, but for sole traders the privacy regulations will apply. Retention periods for records are published in the retention policy (PDF).

Enfield Schools are responsible for their own data protection compliance and therefore have individual privacy notices. Please refer to the school website for details.

Information we collect, process, hold and share

Enfield Council in its role at a Local Education Authority keeps a range of data relating to schools and early years settings, to administer services. These include the following:



Data kept (contact, pupil identification, parent/carer identification assumed), consent/legal basis and retention period

Music service

Manage and organise music education

Details of learning, attendance records, correspondence, free school meals status (for discounts), payments, methods, instrument, level, exams, results. A waiting list is also maintained. Consent on application, three year retention.

Activities database

Manage and organise group activities, provide records to Arts Council England for grant funding

Attendance records, correspondence, payment reconciliation, application of concessionary rates data, ethnicity, gender and age. Consent on application, retained for 6 months after last attendance.

Scholarship database

Enable applications to various funding bodies for scholarships.

Details vary depending on the scholarship qualification requirements. Consent on application, retained for two years after scholarship is finished.

Finance and school place planning

Manage and organise school budgets

Details of pupils; attendance records; free school meals; exclusions; Education Heath and Care Plan records


Early Years and Families Information

To support children's learning and behaviour; Monitor and report on children's progress; Meet our duties to promote high standards of educational achievements; Provide appropriate care; Monitor the impact of funded 2 year olds and 3 and 4 year olds; assess the quality of our services.

Basis on which we use this information

We collect and use this information under the Education Act 1996, various enactments relating to the sharing of data with the Department for Education e.g. the Education (Information about Individual Pupils) (England) Regulations 2013. We also collect special category data under the Education Act 1996 and the Children Act 1989 where required. Information outside these enactments is collected and used by consent e.g. voluntary activity data. We will always inform you if you are providing data on a legal basis or if you have a choice about provision.

Who we share this information with

We routinely share children and young person’s information with:

  • The Department for Education (DfE) - on a statutory basis under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013.
  • Youth support services – under section 507B of the Education Act 1996, to enable them to provide information regarding training and careers as part of the education or training of 13-19 year olds
  • Public health – see the public health section of this notice.
  • Schools, academies and educational services – for the management and delivery of education.

Education and training

We hold information about young people living in our area, including about their education and training history. This is to support the provision of their education up to the age of 20 (and beyond this age for those with a special educational need or disability). Under parts 1 and 2 of the Education and Skills Act 2008, education institutions and other public bodies (including the Department for Education (DfE), police, probation and health services) may pass information to us to help us to support these provisions.

Youth support services and pupils aged 13+

Once our pupils reach the age of 13, we pass their contact details to the provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996. This enables them to provide of youth support service and careers advice.

A parent / guardian can request that only their child’s name, address and date of birth be passed to their provider of youth support services by informing us at the contact details in this notice. This right is transferred to the child/pupil once he/she reaches the age of 16.

Pupils aged 16+

We will also share relevant information about pupils not in education, training or employment (such as their contact details) aged 16+ with the provider of youth support services as they have responsibilities in relation to the education or training of 13-19 year olds under section 507B of the Education Act 1996.

This enables them to provide the following services:

  • post-16 education and training
  • youth support services
  • careers advice

Find out more about services for young people.

Why we share this information

We share children and young person’s data with the Department for Education (DfE) on a statutory basis under section 3 of The Education (Information About Individual Pupils) (England) Regulations 2013. This data sharing underpins school funding, educational attainment policy and monitoring and enables them to; produce statistics, assess our performance, determine the destinations of young people after they have left school or college and to evaluate Government funded programmes.

We do not share information about children and young people without consent unless the law and our policies allow us to do so.

Data collection requirements

To find out more about the data collection requirements placed on us by the Department for Education (for example; via the school census) visit GOV.UK.

The National Pupil Database (NPD)

The NPD is owned and managed by the Department for Education and contains information about pupils in schools in England. It provides invaluable evidence on educational performance to inform independent research, as well as studies commissioned by the Department. It is held in electronic format for statistical purposes. This information is securely collected from a range of sources including schools, local authorities and awarding bodies.

The law requires us to provide information about our pupils to the DfE as part of statutory data collections. Some of this information is then stored in the national pupil database (NPD). The legislation that requires this is the Education (Information About Individual Pupils) (England) Regulations 2013. Find out more about the NPD.

The Department may share information about our pupils from the NPD with third parties who promote the education or well-being of children in England by:

  • conducting research or analysis
  • producing statistics
  • providing information, advice or guidance

The Department has robust processes in place to ensure the confidentiality of our data is maintained and there are stringent controls in place regarding access and use of the data. Decisions on whether DfE releases data to third parties are subject to a strict approval process and based on a detailed assessment of:

  • who is requesting the data
  • the purpose for which it is required
  • the level and sensitivity of data requested: and
  • the arrangements in place to store and handle the data

To be granted access to pupil information, organisations must comply with strict terms and conditions covering the confidentiality and handling of the data, security arrangements and retention and use of the data. Find out more information about the department’s data sharing process.

For information about which organisations the department has provided pupil information, visit GOV.UK. You can also contact the DfE.

Requesting access to your personal data

Under data protection legislation, parents and pupils have the right to request access to information about them that we hold. To make a request for your personal information, or be given access to your child’s educational record held by their education provider, contact us at the details given in this notice.

You also have the right to:

  • object to processing of personal data that is likely to cause, or is causing, damage or distress
  • prevent processing for the purpose of direct marketing
  • object to decisions being taken by automated means
  • in certain circumstances, have inaccurate personal data rectified, blocked, erased or destroyed; and
  • claim compensation for damages caused by a breach of the Data Protection regulations

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance at the contact details in this notice. Alternatively, you can contact the Information Commissioner’s Office.

To validate your bank account details, we need to share relevant information you've given us with TransUnion. This will be used to ensure your support payment is paid to the correct bank account and to help prevent fraudulent use of support payments.

This is not a credit check and won't impact your credit rating.

For more information on how TransUnion may use your data, visit TransUnion.

The Social Care service collects a wide range of data relating to persons in need of social care services, their carers, family and other persons who may affect them. This includes data which is defined by the Data Protection Law as “special categories” including data relating to racial or ethnic origin, religious or philosophical beliefs, genetics, health and sexuality. The Care Act 2014 and Children Act 1989 gives the Social Care service the legal basis for processing, but we also seek consent where possible for processing your data. If you refuse consent, or limit processing this may affect the level of service we can provide to you and could potentially put you at risk. We may, where you or someone else is at serious risk if we do not share information, share information without your consent, but only if absolutely necessary to prevent harm.

It is commonly necessary for persons receiving / providing social care to be provided with finance in order to manage personal budgets, provide care or other appropriate reasons. In order to monitor spending of public funds, the council records these financial transactions in addition to the data above. These are kept for seven years after the repayment period.

Enfield Special Guardianship Service is committed to protecting the privacy and security of your personal information. The special guardianship privacy notice (PDF) describes how we collect and use personal information about you during and after your working relationship with us, in accordance with the data protection legislation. This applies to all users of our Special Guardianship service.

Enfield Council, as a responsible employer, is required by law to keep a wide range of data on prospective, current and former employees, pensioners, contract staff and volunteers. This data has restricted access and is only generally available to appropriate staff including HR advisors and Heath and Safety staff, with managers having limited access to data about their staff.

In addition to statutory requirements, Enfield Council keeps information relating to staff performance, staff vetting, staff training, staff emergency contacts, staff access to sites/buildings/rooms, staff health data where needed to ensure safety of the staff member or the public and other data needed for the safe and responsible delivery of its services. Retention periods for the data are published in our retention policy (PDF).

Enfield Council uses external professional services for occupational health, and staff information will be passed to these providers where there is a need for an occupational health assessment or follow-up.

The legal basis for this use is GDPR Article 6 1(b) - contract with the data subject, GDPR Article 6 1(c) - legal requirement on controller depending on the type of employment, and GDPR Article 9 2(b) for sensitive data - obligations in the field of employment law.

The council is required by central government to assist in this survey every two years as part of the national carers strategy.

We are required to ask all adult carers in the borough to participate in the survey and to collect and collate data which is then used for planning across government. We do not share personal data of carers with any other organisation, but do share anonymised data with other organisation including health, central government and the voluntary sector.

The data is also used by the council to:

  • inform delivery of service and support
  • monitor and develop standards
  • benchmark against other councils