The information we collect is used in accordance with the General Data Protection Regulations (Regulation EU 2016/679) and Data Protection Act 2018 and other relevant legislation.

The purpose of this Privacy Notice is to tell you what information we collect about you when you use our service, how we use that information and who we may share it with. It also contains information about your rights.

What is Personal Information?

Personal information can be any information that relates to or identifies a living person.

Typically, it could include name, date of birth, postal address, email address, telephone number and debit or credit card details.

The law regards some personal information as being in a special category. This special category of personal information is given more protection by the law and includes information about an individual’s:

• Race
• Ethnic origin
• Politics
• Religion
• Trade union membership
• Genetics
• Biometrics (where used for ID purposes)
• Health
• Sex life
• Sexual orientation

Where we want to use or share special category personal information we have to identify both a legal basis for doing so and, in addition satisfy further conditions.

What services are being provided?

Library services, including:

• General library membership and use, including access to digital stock
• Requesting items we don't already stock
• Home Library Service
• Reading Groups
• Summer Reading Challenge
• Training courses, including ECDL

What personal data do we need from you?

Unless otherwise agreed with you, we will only collect the minimum personal data required to deliver the service, which includes name, address (including postcode), email address, telephone number(s), date of birth and library card number.

It may also include personal information relating to gender, ethnicity, language and disability.

For participants in the Summer Reading Challenge, we will also collect the name of the school attended.

For those undertaking ECDL courses, we will also collect details of the course(s) being undertaken and the modules passed.

Who will be using your personal data?

The ‘Data Controller’ is Bexley Library Service.

The data you provide will be accessible to the supplier of our library management system. This supplier has committed to handling data in accordance with the principles in the General Data Protection Regulations (GDPR) and the New Data Protection Act (2018) and will only do so to the extent that it is required to maintain the library management system.

Your data may also be shared with the council’s service delivery partners. We will only share your data with these partners where we have a data sharing agreement in place and only for the purpose of delivering more effective services to you.

The Council’s service delivery partners include:

• Bibliotheca – for self-service and RFID services
• British Computer Society – for administration of ECDL courses only
• Lorensbergs - for the management of the network of public computers in libraries
• OverDrive – for eBooks and eAudiobooks
• Unique Management Services – for debt recovery processes

These partners are ‘Data Processors’ supporting library services by providing us with systems.

We reserve the right to alter service delivery partners without prior notice. All service delivery partners meet the required standards for data protection and privacy.

What will it be used for and what gives us the right to ask for it and use it?

• Delivering library services to you
• Planning and improving library services
• Preventing or detecting of fraud or crime
• Research using anonymised personal data. If we wish to use your identifiable personal data we will seek your permission.
• Equal Opportunities monitoring.

If we cannot use your data we would not be able to provide you with a library service.

Our legal basis for using your personal data is under a legal obligation - The Public Libraries and Museums Act 1964.

Who else might we share your data with?

• Staff at Rose Bruford College (who share a Library Management System with us)
• Police (Only for the purposes of preventing or detecting crime or fraud)
• Children’s Services (For safeguarding purposes)

Will your data be stored in or accessible from countries with no UK-equivalent Privacy Law protections?

No.

How long do we keep your personal data?

We will only keep your personal information for as long as we consider that it is necessary to be retained. We have a Record Retention Schedule which lists how we would intend to keep your personal information.

We will review our Record Retention Schedule from time to time and therefore the time periods specified in it may change.

Once personal information is no longer needed, it will be deleted or destroyed confidentially.

We will stop using your data no more than two years after you last used our library services, after which point it will be deleted.

If you have outstanding loans or charges, your data will be retained for six years after you last used our library services, after which point it will be deleted.

The library service may separately collect personal data for the purpose of managing events activities, training and other services. This data will be handled in accordance with this privacy notice and will be retained in accordance with our Record Retention Schedule.

Data about those who volunteer with Bexley Libraries will be handled in accordance with this privacy notice and will be retained in accordance with our Record Retention Schedule.

Our use of your data will be subject to the following legal rights:

Your right to be informed

We are required to supply you with information about the processing of your personal information through notices such as this one.

Your right to access your personal data

You have the right to obtain from us confirmation that your personal data is being processed and access to your personal information. This is so that you are aware of and can verify the lawfulness of processing. There is generally no charge for this. We will provide your personal information without delay and generally within one month of the receipt of your request. Details of how to access your personal information can be found at https://www.bexley.gov.uk/about-council/complaints-and-feedback/freedom-information-requests/access-your-personal-information

Your right for us to rectify your personal data

You have the right to have any personal information which we hold about you rectified if it is inaccurate or incomplete. We will generally deal with your request within one month.

Your right to erasure of your personal information

Sometimes referred to as the “right to be forgotten”. There are some specific circumstances where the right to erasure does not apply and we can refuse to deal with a request for example, where we are under a legal obligation to process your personal information in order to perform a task in the public interest. You have the right to have personal information erased and to prevent processing in specific circumstances:

• Where the personal data is no longer necessary in relation to the purpose for which it was originally collected/processed.
• When you withdraw consent.
• When you object to the processing and there is no overriding legitimate interest for continuing the processing.
• The personal data was unlawfully processed (i.e. otherwise in breach of the GDPR).
• The personal data has to be erased in order to comply with a legal obligation.

Your right to restrict our processing of your personal data

You have the right to restrict processing of your personal information in certain circumstances. Where processing is restricted we are permitted to store your personal information but we may not process it further. We can retain just enough information about you to ensure that the restriction is respected in future.

The right to restrict arises in the following cases:

• Where you contest the accuracy of your personal information, we may restrict the processing until we have verified the accuracy of the personal data.
• Where you have objected to the processing (where it was necessary for the performance of a public interest task), and we are considering whether our legitimate grounds override yours.
• When processing is unlawful and you have opposed erasure and requested restriction instead.
• If we no longer need your personal information but you require the personal information to establish, exercise or defend a legal claim.

Your right to information portability

You have the right to obtain from us and reuse your personal information for your own purposes where you have provided the information to us yourself, where we process the information by automated means and where our basis for processing is based on consent or contract. Where this right applies we will provide you with your personal information in a structured, commonly used and machine readable form.

Your right to object

You have a right to object to:

• processing based on the performance of a task in the public interest/exercise of official authority (including profiling)
• direct marketing (including profiling)
• processing for purposes of scientific/historical research and statistics

Where the objection is to processing your personal information for direct marketing purposes we must stop processing your personal information when we receive your objection. Where the objection is to processing your personal data for the performance of a public interest task we must stop processing your personal information unless we can demonstrate compelling legitimate grounds for the processing which override your interests, or, the processing is for the establishment, exercise or defence of legal claims.

Where the objection is to processing your personal data for research purposes we do not have to comply with your objection where the processing of your personal information is necessary for the performance of a public interest task.

Your right to withdraw consent

Where the legal basis for processing your personal information is consent, you have the right to withdraw that consent at any time by notifying us.

Please contact data.protection@bexley.gov.uk and tell us which service you are using so that we can deal with your request. If you withdraw your consent it may not be possible to continue to provide you with that service.

Further Information

Visit the following links for more information about Privacy Law, our obligations and your Rights:

• The ICO Guide to the General Data Protection Regulation 2016
• The General Data Protection Regulation 2016

If you have concerns over the way we are asking for or using your personal data, please raise the matter with our Data Protection Officer by the following means:

• Postal Address : Data Protection Office, London Borough of Bexley, Civic Offices, 2 Watling Street, Bexleyheath, Kent, DA6 7AT
• Email: data.protection@bexley.gov.uk
• Phone Number: 020 8303 7777

If you still have concerns following our response you have the right to raise the matter with the Information Commissioner's Office:

• Postal Address: Information Commissioner’s Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• Online Form: https://ico.org.uk/concerns/handling/
• Phone Number: 0303 123 1113

For the London Borough of Bexley’s full privacy notice, please visit https://www.bexley.gov.uk/privacy

Last Updated: 10 November 2020