Local government in Surrey is changing
From April 2027, the existing county council and 11 district and borough councils will be replaced by two new unitary councils. Learn more about Future Surrey
Privacy
View the Surrey Heath Borough Council privacy notices.
Licensing privacy policy
What information do we collect from you?
We may collect, use, store and transfer different kinds of personal data about you which we have grouped together as follows:
- Identity data; includes first name, maiden name, last name, username or similar identifier, marital status, title, nationality, date of birth and gender, occupation, employer, national insurance number, registered GP details, photographs, recordings, vehicle registration.
- Contact data; includes address, email address and telephone numbers.
- Special Category data; includes Mental and physical health and lifestyle data, details of injuries and medication, any convictions and enforcements, professional qualifications.
- Communications data; includes your communications with us and our third parties including registration of services, application data, complaints and compliments.
We use different methods to collect data from and about you including through:
- Direct interactions. You may give us your Identity, Contact, Special Category and Communications data by filling in forms or by corresponding with us by post, phone, email, online or otherwise. This includes personal data you provide when you:
- apply for licences or services;
- subscribe to our service;
- give us some feedback
- to register you as a new customer
- to respond to queries or complaints
- report breaches
Reasons why we collect your personal data
The information is collected, used and stored so that we can administer the services and statutory obligations that fall within the remit of the Licensing Team.
- Deliver public services including understanding your needs to provide the services that you request
- To confirm your identity to provide some services
- To prevent and detect crime including fraud
- To enable us to meet all legal and statutory obligations and powers including any delegated functions
- To investigate complaints and take action where necessary, including communications with relevant individuals
- To inform relevant individuals of the outcome of an investigation, application, enquiry or request
- To seek your views, opinions or comments as part of investigations or application processes
- To notify you of changes to our facilities, services, events and staff, and other roles/responsibilities
- To allow the statistical analysis of data so we can plan the provision of services
Purposes for which we will use your personal data
We have set out below, in a table format, a description of all the ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please email data.protection@surreyheath.gov.uk if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
| Purpose/Activity | Type of data | Lawful basis for processing |
|---|---|---|
| To register you/operator/company for licensing |
(a) Identity
(b) Contact |
Necessary for our public task
Performance of a contract with you |
| To process licenses for individuals/operators/companies |
(a) Identity
(b) Contact
(c) Communication |
Necessary for our public task
Performance of a contract with you |
| To complete our statutory requirements |
(a) Identity
(b) Contact
(c) Communication
(d) Special Category |
Necessary for our public task
Necessary for substantial public interest |
| To respond to queries, complaints and compliments |
(a) Identity
(b) Contact
(c) Communication |
Necessary for our public task |
Who we will share your data with
To comply with our statutory requirements, data may be disclosed to other services within Surrey Heath Borough Council, and external agencies such as (but not exclusively) Police/DVLA/TFL, Government agencies and other Local Authorities. Examples of this is establishing an applicant’s right to work in the UK via the Home Office, or ensuring that an applicant is not ‘barred’ from holding a particular type of licence via the Disclosure and Barring Service, investigating benefit or housing fraud or where an out of area roadside enforcement has been identified this will be passed to the relevant Local Authority.
To tackle fraud and share intelligence the Council is registered with the NR3 Register. This is a National Anti-Fraud Initiative (NAFI) that allows councils to record details of where a taxi or PHV licence has been refused or revoked and allows local authorities to check new applicants against the register. More information can be found on the NAFI. Where an application is refused, or where a licence is granted but subsequently revoked, your information, including your name, address, NI, driving license number and Council decision, will be entered onto the register which can then be viewed by other Licensing authorities and held for a period of 11 years. The lawful basis the Council is relying on to process your data in this way is necessary for the performance of a task carried out in the public interest and in the exercise of official authority vested in the controller.
Licensing Authorities are required by Law to share data on taxi and private hire vehicle licensing information with the Department for Environment, Food and Rural Affairs (Defra) so that Defra can create a database for the purposes of the Air Quality Regulations. Defra may, under contracts or similar agreements, use third party organisations to process the data on its behalf. This will include the creation and provision of the database to support local authorities’ ability to charge in relation to clean air zones. The legal basis under Data Protection Legislation to share Personal Data with Defra and Defra’s further processing of the Personal Data for the Purpose is Article 6(1)(c) of the GDPR – i.e. the processing is necessary for compliance with a legal obligation to which the controller is subject. Defra will retain the Data for a period not exceeding seven years for revenue purposes from the date received from The Licensing Authority. More information can be found at The Air Quality (Taxis and Private Hire Vehicles Database) (England and Wales) Regulations 2019.
Where we share your information with third parties we require them to respect the security of your personal data and to treat it in accordance with the law. We do not allow our third-party service providers to use your personal data for their own purposes and only permit them to process your personal data for specified purposes and in accordance with our instructions. We will only ever share your data with third parties where there is a legal basis and only the minimum information is shared.
Some of the information you provide in connection with an application will be publicly available on a Statutory Public Register that we have to keep and make available for any member of the public to view, this may also be released under Freedom of Information. This will include, for example but not limited to, your name, your business’s details, licence/permit/registration number, expiry date etc. Your personal email address and signatures, will be redacted from public viewing but we will hold this information on our database and it will be available to all licensing staff.
This information may be more widely published on the internet in relation to public licensing and regulatory committee meetings within minutes and agendas relating to your licence/permit/registration/consent application, changes to your licence/permit /registration/consent, or licence/permit/registration/consent reviews.
Transferring data outside of the EEA
We do not transfer your personal data outside the European Economic Area (EEA).
How we handle data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
How we handle data breaches
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
How long will we retain your information for?
We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.
To determine the appropriate retention period for personal data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorised use or disclosure of your personal data, the purposes for which we process your personal data and whether we can achieve those purposes through other means, and the applicable legal requirements.
Details of retention periods for different aspects of your personal data are available in our retention policy which you can request from us by emailing foi@surreyheath.gov.uk.
In some circumstances you can ask us to delete your data.
In some circumstances we may anonymise your personal data (so that it can no longer be associated with you) for research or statistical purposes in which case we may use this information indefinitely without further notice to you.
What are my rights with regards to data?
Please see Your Legal Rights section of the main Privacy Notice.