Privacy notice

Epping Forest District Council is a data controller pursuant to the General Data Protection Regulation 2016 (the ‘GDPR’). This means that the Council decides how your personal data is processed and for what purposes. The Council is committed to protecting your personal and respecting your right to privacy.

The Council will obtain information about you when you contact the authority, when you request the provision of specific services or when you use its website or other forms of communication, such as the completion of an online form.

This privacy policy explains how the Council collects, uses and protects the personal data that it holds. The privacy policy applies to all the data we as a Council collect whether this is by letter, email, telephone, online, face-to-face or any other method.

The privacy policy does not provide exhaustive detail of all aspects of the Council’s collection and use of personal data. If you wish to obtain further information about the way that the Council processes your personal data, you should contact the Data Protection Officer.

What information do we collect about you?

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller’s possession or likely to come into such possession. The processing of personal data is governed by the GDPR and its principles.

The types of personal information that the Council collects about you might include your name, address, email address, IP address, and other information that is relevant to the enquiry that you make or the service that you request. This may include financial information and payment card information when making any payments or accessing certain applications to the Council. If you make a payment online, your payment account information is not held by the Council, as this information is collected by our third party payment processors who specialise in the secure online capture and processing of credit/debit card transactions.

Why do we collect this information and how will it be used?

The Council provides a wide range of services. In order to do this, it has to collect certain information and details about people who contact it or request the provision of such services.

The information that the Council collects will only be used for the purpose for which you have provided it and for the provision of services that you request. Your information will not be used for any other purpose unless you have given your consent, or this is otherwise required or permitted by law.

If you choose to give the Council your personal information, it will use that information to respond to your enquiry and will only pass your details to another organisation if it is required by law or that organisation is relevant to your enquiry. The Council does not collect or sell personal information for commercial purposes and will not share your information with third-parties for marketing purposes.

We comply with our obligations under the GDPR, by keeping personal data up to date; by storing and destroying it securely; by not collecting or retaining excessive amounts of data; by protecting it from loss, misuse, unauthorised access and disclosure and by ensuring that appropriate technical measures are in place to protect personal data. We use leading technologies and encryption software to safeguard your data, and keep strict security standards to prevent any unauthorised access.

How long do we keep your information?

The Council will only keep your personal data for as long as is necessary for the purpose for which we are processing it, unless we have a legitimate reason for keeping it, for example, any legal requirement to keep the data for a set time period.

Where legislation does not dictate a specific retention period, we have adopted a retention policy to ensure that no data is kept for longer than necessary after processing has taken place. Where we do not need to continue to process your personal data, it will be securely destroyed.

The lawful basis for processing your personal data

Depending on how we are processing your personal data, will determine the legal basis for processing. Generally, the legal bases for processing by the Council as a public authority will be for us to perform a task in the public interest. Where the purpose for processing your personal data has changed, we will seek your consent. In certain circumstances, you will be able to withdraw your consent to the processing of your personal data.


The Council strives to meet the highest standards when collecting and using personal information. For this reason, it takes any complaints about such matters very seriously. The Council encourages people to bring it to its attention any instances where its collection or use of personal data is considered to be unfair, misleading or inappropriate.

If you wish to make a complaint about the way the Council has processed your personal information, you should contact the Data Protection Officer.

Your rights

You can access the personal data that the Council holds about you by submitting a Subject Access Request. This request must be in writing and clearly specify the information that you require. An application form is available on the Council’s website to assist you to submit a request.

There are various other rights that you can exercise as an individual in relation to the information that the Council collects and holds about you, including

  • the right to be informed
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability
  • the right to object
  • rights in relation to automated decision making and profiling

Information about each of these rights is available on the data protection page of the Council’s website at

Disclosure of personal informartion

Depending on the purpose for which we originally obtained your personal data and the use to which it is to be put, it may be shared with other organisations. For example, personal data may be shared, where necessary, with other organisations that provide services on our behalf. In such cases, the personal data provided is only the minimum necessary to enable them to provide services to you.

The Council will not generally disclose personal data without your consent. However, there may be occasions when it may need to share personal information with other relevant bodies. The Council may pass your information to other agencies or organisations such as the Department for Work and Pensions or HM Revenue and Customs, where this is required by law.

The Council may check information that you have provided, or information about you that someone else has provided, with other information that it holds. The Council may also obtain information about you from other organisations, or disclose information to such organisations, to

  • prevent or detect crime
  • protect public funds
  • make sure information is correct

Such third parties include government departments, local authorities and private-sector companies such as banks, organisations that may lend you money and companies that assist the Council in fraud detection and prevention, such as Credit Reference Agencies.

The Council will not give information about you to anyone else, or use information about you for other purposes, unless the law allows it to. Where we require your consent to share or disclose your personal data, we will seek your consent.

Transferring your information outside of Europe

The Council may transfer your personal data to countries outside the European Union (EU), which may not have similar data protection laws to the United Kingdom. If The Council transfers your information outside of the EU in this way, it will take steps to ensure that appropriate security measures are in place to ensuring that your privacy rights continue to be protected as outlined in this Policy. If you use our services while you are outside the EU, your information may be transferred outside the EU in order to provide you with those services.

Link to other websites

This privacy policy only relates to personal data processed by Epping Forest District Council. The policy does not cover links within the Council’s website to other websites. The Council therefore encourages you to read the privacy statements available on other websites that you visit.

The Council is not responsible for the privacy practices of other websites, even if you access them using links from the Council’s website. In addition, if you linked to the Council’s website from a third party site, the Council is not responsible for the privacy policies and practices of the owners and operators of that third party site and recommend that you check the policy of such third party site.

Changes to this privacy policy

The Council keep this privacy notice under regular review. This privacy notice was last updated on 30 April 2018.

How to contact the ICO

The Information Commissioner's Office (ICO) can be contacted as follows.

Telephone 0303 123 1113

Or you can write to them at:
Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

How to contact us

The Council’s Data Protection Officer can be contacted as follows.

Telephone 01992 564180

Or you can write to us at:
Data Protection Officer, Epping Forest District Council, High Street, Epping, Essex CM16 4BZ