Who we are

The Tees Valley Combined Authority (TVCA) is a Combined Authority covering the Local Authority areas of Darlington, Hartlepool, Middlesbrough, Redcar & Cleveland and Stockton-on-Tees. We are a statutory body and you can contact us as follows:

Tees Valley Combined Authority

Cavendish House

Teesdale Business Park

Stockton-on-Tees

TS17 6QY

Email: info@teesvalley-ca.gov.uk

Data Protection Officer: DPO@teesvalley-ca.gov.uk

If you wish to complain about the use of your personal data, you can contact the Information Commissioner’s Office at the below address:

ICO

Wycliffe House

Water Lane

Wilmslow SK9 5AF www.ico.org.uk

Introduction

This Policy outlines the Tees Valley Combined Authority’s Privacy, Cookies and Fair Processing Policy.

This Policy outlines our commitment in using data both fairly and in accordance with Data Protection principles.

This policy applies to data you provide to us or which we collect about you, including data collected via the websites that the Tees Valley Combined Authority operates at the following URLs:

www.teesvalley-ca.gov.uk Tees Valley Combined Authority
www.enjoyteesvalley.com Enjoy Tees Valley
www.teesvalleycareers.com Tees Valley Careers
www.teesinvest.com Invest Tees Valley
www.teesvalleybusiness.com Tees Valley Business
Buylocal.teesvalley-ca.gov.uk Buy Local Tees Valley
www.teesvalley.jobs Tees Valley Jobs
www.neyenergyhub.com North East and Yorkshire Energy Hub

These websites and trading styles are all brands of Tees Valley Combined Authority which remains the data controller and the responsible statutory body in relation to these websites and brands.

Tees Valley Combined Authority, along with the websites associated above process all data fairly and lawfully in line with Data Protection laws.

How we collect different types of information

The personal information we collect is that which data subjects provide to the organisation via direct engagement. This includes, but is not limited to information provided via:

  • consultation responses
  • information provided by attendees at events
  • information provided when joining mailing lists
  • information provided in relation to grants, applications, monitoring and appraisal
  • complaints and feedback
  • survey responses
  • job applications and employee information
  • applications for employment and skills related programmes.
  • photographs
  • information to allow us to arrange meetings and circulate papers for these meetings
  • information provided in relation to procurement and contracts for goods and services
  • other contractual information
  • information to allow us to administer the devolved Adult Education Budget
  • information to allow us to produce pupil projections to assist our Constituent Authorities to plan for school place demand
  • information to allow is to act as Lead Authority for the UK Community Renewal Fund bid process (see Appendix 1 below)
  • information to allow us to act in our capacity as the Energy Hub for the North East and Yorkshire

Other sources of personal data processed by the organisation may appear in separate fair processing notices relating to particular activities. All such notices should be read in conjunction with, and add to, this privacy policy.

Who the information relates to

The information we collect, as described above, is from a variety of different sources. This personal data relates to the following categories of data subject:

  • Mailing lists/Contact lists
  • Grant Applicants and Recipients
  • Suppliers*
  • Employees, secondees and temporary workers**
  • Organisations with which we partner or share data
  • Other people we work with
  • Members, Officers of other organisations

*Supplier information

If you are one of our suppliers, we will use information we hold on you to manage the contract between us and to improve services. The information we hold may include information about your performance in providing services to us or to our clients.

** Employee information

If you are an employee of TVCA we will handle your personal data in accordance with our employee specific privacy notice, which you will have received with your welcome pack and is available on request from DPO@Teesvalley-ca.gov.uk

Cookies Information

Our websites use cookies to distinguish you from other users of our websites. This helps us to provide you with a good experience when you browse our websites and allows us to improve our sites. You can view our full Cookie Policy at https://teesvalley-ca.gov.uk/privacy-policy/

How we process personal information

Purpose

Personal information is processed for the following specified purposes:

  • processing your requests and delivering services you request from us
  • sending you information which you have requested
  • auditing the usage of our websites
  • monitoring the usage of our websites to enable us to update and tailor our websites to meet the needs of users
  • considering applications for grants, processing grant claims and monitoring grant performance and compliance
  • to allow us to allocate funding devolved from government
  • to assist the Tees Valley local authorities with planning for school place requirements
  • preparing information for decision making by Boards and Committees
  • sending marketing information only where a person has specifically consented to this
  • running procurement processes, awarding contracts and monitoring contractual performance and delivery
  • to comply with our legal obligations including fraud protection and crime prevention

Fair Processing

Tees Valley Combined Authority is committed to the highest standards in relation to all aspects of fair processing and this is outlined throughout our information governance principles (this is the collection, storage, security, use, appropriate release and destruction in relation to data).

Fair Processing Notices

Our commitment to the highest standards in all aspects of fair processing is important to us to ensure our stakeholders are aware of how we collect and process their information.

We pride ourselves by being fair and transparent to ensure effective relationships with our stakeholders are maintained. Accountability for their information is our main priority.

Individual notices for specific circumstances may be provided to data subjects or appear on our website from time to time for specific types of data collection and processing. Such notices are supplementary to and are not intended to override this general Privacy Policy. Individual fair processing notices should be read alongside this Privacy Policy.

How we keep information safe

Only employees of Tees Valley Combined Authority or those specifically authorised by us will have access to your information.

We keep this information secure by taking appropriate technical and organisational measures against any unauthorised or unlawful processing and against its accidental loss, destruction or damage.

Unfortunately, the transmission of information via the internet is not always completely secure and this is something we recognise. We will always do our best to protect any personal data, once we receive your data, we use strict procedures and have security processes in place to prevent any loss, breach or unauthorised access to it; we strive by a policy that data should only be accessed by those that need to.

If there is a breach of security involving your personal information which we are concerned will involve risks to you, we shall, without undue delay, work to mitigate those risks and contact you and/or the data privacy supervisory authority in accordance with applicable laws.

How we share information

There are times where we need to share information with those within our constituent authorities, organisations within our group structure or suppliers that provide us with a service.

These providers are obliged to keep your details secure and use them only to fulfil a purpose. If we wish to pass your sensitive or confidential information onto a third party, we would only do so once we have obtained your consent, unless we are legally required to do so.

We may disclose information to other partners without consent where it is necessary, either to comply with a legal obligation, or where permitted under Data Laws, e.g. this could be where the disclosure is necessary for the purposes of the prevention and/or detection of crime or necessary to perform our contract with you.

We have an information sharing protocol with our constituent authorities and those that provide us with services (e.g. Internal Auditors, External Auditors) so they are aware of the responsibilities between Tees Valley Combined Authority (as the controller) and the service being provided (as the processor). We do this so you can be confident that all our constituent authorities and those that provide services to us comply with our privacy principles.

We also take responsibility for any information that is shared with us by a constituent authority and act in accordance with the principles and privacy notices of an organisation/authority for any occasions where Tees Valley Combined Authority may act as a processor. We apply the same commitment to this information.

At no time will your information be passed to organisations external to us and our partners, for marketing or sales purposes or for any commercial use without your prior expressed consent.

Lawful Grounds for Processing

We have set out below, in a table format, a description of all the usual ways we plan to use your personal data, and which of the legal bases we rely on to do so.  We have also identified what our legitimate interests are where appropriate.

Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data.  Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.

Purpose/Activity Type of data Lawful basis for processing including basis of legitimate interest
To respond to enquiries submitted by you via our website or other contact points (a) Identity

(b) Contact

(a) Performance or preparation to perform of a contract with you and/or

(b) Either: Necessary for our legitimate interests or further to performance of a public task and/or

(c) Your consent

To process and deliver any grant or funding applications:

(a) Manage payments, fees and charges

(b) Process and verify claims

(c) Monitor performance against fund specific requirements

(a) Identity

(b) Contact

(c) Financial

(d) Transaction

(e) Marketing and Communications

(a) Performance of a contract with you

(b) Either: Necessary for our legitimate interests or further to performance of a public task and/or

(c) Your consent

To manage our relationship with you which will include:

(a) Notifying you about changes to our terms or privacy policy

(b) Asking you to provide further information on any enquiry or application you’ve made to us

(c) creating and organising committees

(d) declarations of interest from committee members

(a) Identity

(b) Contact

(c) Profile

(d) Marketing and Communications

(e) List of Financial or other interests

(a) Performance of a contract with you and/or

(b) Necessary to comply with a legal obligation and/or

(c) Either: Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) or Performance of a Public Task and/or

(d) Your consent

To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data) (a) Identity

(b) Contact

(c) Technical

(a) Necessary for our legitimate interests (for running our website and organisation, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)

(b) Necessary to comply with a legal obligation

To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you (a) Identity

(b) Contact

(c) Profile

(d) Usage

(e) Marketing and Communications

(f) Technical

Either necessary for our legitimate interests or further to performing a public task (where applicable) (to study how users interact with our website and/or services, to develop them, to grow our organisation and its influence/impact on the local community and to inform our marketing strategy)
To use data analytics to improve our website, services, marketing, user relationships and experiences (a) Technical

(b) Usage

Necessary for our legitimate interests (to define types of users for our services, to keep our website updated and relevant, to develop our organisation and to inform our marketing strategy)
To make suggestions and recommendations to you about events, committees, grants or services that may be of interest to you (a) Identity

(b) Contact

(c) Technical

(d) Usage

(e) Profile

(f) Marketing and Communications

Either: necessary for our legitimate interests (to develop our products/services and grow our business) or (where applicable) in performance of a public task

Disclosure of Data

We will only disclose your information to third parties when:

  • we are required to do so by our funders – eg HM Government – or in relation to the funds we manage
  • if there is a business/operational need to do so we will inform you and seek your consent as we may use third parties to process data on our behalf or run projects in conjunction with other organisations. Should we anticipate such activity we will inform you at the point we collect information.
  • we are under a duty to do so in order to comply with a legal obligation or to protect the rights, property or safety of others; this includes, but is not limited to exchanging information with other organisations for the purposes of fraud protection and crime prevention

In the event that we need to transfer personal information outside of the European Economic Area (EEA), we will take all steps reasonably necessary to ensure that the appropriate safeguards are in place and that your information is processed securely.

We currently use a third party software service provider, MailChimp, to assist us with distribution of certain marketing and information materials. This may result in transfer of certain personal data to the United States. Transfer of personal data in these circumstances will be on the basis of the European Commission’s Standard Contractual Clauses. We always keep the personal data transferred to a minimum, usually only your name and contact details will be shared. Following recent decisions and guidelines issued in relation to transfer of European data to the US we will be keeping these transfer activities under review. If you do not wish to have your personal data processed in this way please do not sign up for our marketing emails. You can also unsubscribe from our e-marketing at any time by using the unsubscribe link, which is included with all our marketing emails.

Data Retention

We will retain your information in line with the period outlined at the time the data is collected and only for as long as it is necessary to do so and in accordance with our Data Retention and Destruction Policy.

Marketing

Tees Valley Combined Authority would only send you a marketing email when you gave your consent to sign up to a mailing list, distribution list or newsletter.

We ensure that we have a system in accordance with data protection principles for any marketing we will ask you to give a positive opt-in to receiving marketing. This would always be your choice.

Tees Valley Combined Authority will only use your consented information to the purpose you sign up to a mailing list for (and nothing else) which will be explicitly given from the onset, for example:

  • sign up to a newsletter or specific update
  • consultation exercise
  • sign up to a forum/event
  • sign up for information regarding Committee meeting dates/information

As part of our internal procedures to ensure information is current and up to date, we will regularly review our e-marketing mailing lists to ensure that you still would like to receive information from us. We will always advise you that you are able to withdraw consent at any time regarding your information being included on our e-marketing mailing list and ask if you would like to specifically opt-out of the electronic mailing list; this option will always be visible and clear within any marketing contacts we send you.

If we make a mistake or your information changes

We like to ensure we keep information accurate and up to date. It is important that if we have any of your information inaccurate, incomplete or we have made an error, you notify us. Equally it is your duty to inform us of changes to your personal information. Please do so during the course of your relationship with us by emailing DPO@Teesvalley-ca.gov.uk

Your rights in connection with personal information

 Under certain circumstances, by law you have the right to:

  • Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
  • Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
  • Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
  • Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
  • Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
  • Request the transfer of your personal information to another party.

If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Protection Officer via DPO@Teesvalley-ca.gov.uk

No fee usually required

You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.

What we may need from you

We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.

Right to withdraw consent

In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact DPO@teesvalley-ca.gov.uk. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.

Other Information Rights

The Right to Complain

You have a right to lodge a complaint about us with the Supervisory Authority at an any time. You can make a complaint to The Information Commissioner’s Office via this page:  https://ico.org.uk/make-a-complaint/

Freedom of Information

Data can also be requested via a Freedom of Information request. We also have a FOI Publication Scheme on our website, that commits the Tees Valley Combined Authority to make information available to the public as part of its normal business activities. These can be found at https://teesvalley-ca.gov.uk/transparency/publication-scheme/

Data Protection Officer

If you have any questions or concerns, please contact our Data Protection Officer at DPO@Teesvalley-ca.gov.uk

Changes to our Notice

We will review this Privacy Policy on a regular basis to ensure that the information is up to date and relevant. Any changes we make to this Privacy Policy will be posted on our website(s) and where appropriate, you will be notified to you by e-mail or post.

Further Information

For further information the Information Commissioner’s Office Website provides further details regarding data protection principles and responsibilities at https://ico.org.uk

Appendix 1

UK Community Renewal Fund: Tees Valley Combined Authority Privacy Notice

Updated 8th April 2021

The identity of the data controller and contact details of our Data Protection Officer

The Ministry of Housing, Communities and Local Government (MHCLG) is a data controller for all UK Community Renewal Fund related personal data collected with the relevant forms submitted to MHCLG, and the control and processing of Personal Data.

The Data Protection Officer for MHCLG can be contacted at dataprotection@communities.gov.uk

Mayoral Combined Authorities, the Greater London Authority, County Councils or Unitary Authorities, have been designated as a ‘Lead Authority’ in Great Britain for the UK Community Renewal Fund. Each Lead Authority has been invited to run a local bidding process and will be a joint data controller for all UK Community Renewal Fund related Personal Data collected with the relevant forms as part of this process, and the control and processing of Personal Data, where such applications are not submitted to MHCLG for consideration.

The local Data Controller for all the information you provide on this form is Tees Valley Combined Authority, Cavendish House, Teesdale Business Park, Stockton- on-Tees, TS17 6QY. Data Protection Registration Number: Z4969253.

Why we are collecting your personal data

Your personal data is being collected as an essential part of the UK Community Renewal Fund bidding process, so that we can contact you regarding your bid and for monitoring purposes. We may also use it to contact you about matters specific to the Fund.

Legal basis for processing your personal data

Tees Valley Combined Authority will process all data according to the provisions of the Data Protection Act 2018 and the UK General Data Protection Regulation 2018 (UK GDPR) and all applicable laws and regulations relating to processing of Personal Data and privacy, including, where necessary, the guidance and codes of practice issued by the Information Commissioner and any other relevant data protection regulations (together “the Data Protection Legislation (as amended from time to time)”).

The Data Protection Legislation sets out when we are lawfully allowed to process your data. The lawful basis that applies to this processing is Article 6 (1) (e) of the UK GDPR; that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; data being processed belongs to business contacts processed during the routine course of business of a government department.

With whom we will be sharing the data

As part of the process of selecting and monitoring the UK Community Renewal Fund, Tees Valley Combined Authority will share your personal data with relevant internal services and government departments including:

  • Ministry of Housing and Local Government (MHCLG)

The data may also be shared with contractors where they are used for monitoring purposes, to evaluate the programme. Their contract will set out what they are permitted to do with personal data.

For how long we will keep the personal data, or criteria used to determine the retention period

If your bid is successful, your personal data will be held for up to two years from the closure of the bidding process. This is currently estimated to be July 2023. As part of the monitoring process, we will contact you regularly to ensure our records are up to date.

Should your bid be unsuccessful it will be held for audit purposes but will be deleted in line with our Data Retention and Destruction Policy.

Your rights, e.g. access, rectification, erasure.

Your personal information belongs to you and you have the right to:

  • be informed of how we will process it
  • request a copy of what we hold about you and in commonly used electronic format if you wish (if you provided this to us electronically for automated processing, we will return it in the same way)
  • have it amended if it’s incorrect or incomplete
  • have it deleted (where we do not have a legal requirement to retain it)
  • withdraw your consent if you no longer wish us to process
  • restrict how we process it
  • object to us using it for marketing or research purposes
  • object to us using it in relation to a legal task or in the exercise of an official authority
  • request that a person reviews an automated decision where it has had an adverse effect on you

Sending data overseas

Your data will be held within Tees Valley Combined Authority’s secure network and premises and will not be processed outside of the UK. Access to your information will only be made to authorised members of staff who are required to process it for the purposes outlined in this privacy notice.

Any sub-contractor(s) or external organisations detailed in this privacy notice will also maintain the same levels of security that we do which are set out in the contract we have with them.

Automated decision making

We will not use your data for any automated decision making.

Storage, security and data management

Your personal data will be stored in a secure Combined Authority IT system. Where data is shared with third parties, as set out in the data sharing section above, we require third parties to respect the security of your data and to treat it in accordance with the law. All third parties are required to take appropriate security measures to protect your personal information in line with our policies.

Complaints and more information

If you would like to access any of the information we hold about you or have concerns regarding the way we have processed your information, please contact: Data Protection Officer, Tees Valley Combined Authority, Cavendish House, Teesdale Business Park, Stockton-on-Tees, TS17 6QY Tel: 01642 524400 Email: dpo@teesvalley-ca.gov.uk

We would prefer any complaints to be made to us initially so that we have the opportunity to see if we can put things right. However, if you are unhappy with the way we have processed your information or how we have responded to your request to exercise any of your rights in relation to your data, you can raise your concerns direct with the Information Commissioner’s Office Tel No. 0303 123 1113 https://ico.org.uk/concerns/