When processing your personal, special category personal or criminal/law enforcement data, Cumberland Council (‘the council’) is required under Articles 13 and 14 of the UK General Data Protection Regulation (UKGDPR) to provide you with the information contained in this Privacy Notice.

This notice explains what the council will collect, who it will be shared with, why we need it and how we will use it. The council will continually review and update this Privacy Notice to reflect service changes, feedback from customers and changes in the law.

The council is also required to comply with the data protection principles as laid out in the UKGDPR, to ensure that personal data is:

  • processed lawfully, fairly and in a transparent manner
  • collected for specific, explicit, and legitimate purposes
  • adequate, relevant, and limited to the purposes for which it was collected
  • accurate and up to date
  • kept for no longer than is necessary for the purpose(s) for which it was collected
  • secured using appropriate technical or organisational measures

Local Government Reorganisation (LGR)

As of 1 April 2023, Cumberland Council will replace Allerdale Borough Council, Carlisle City Council and Copeland Borough Council, as well as services previously delivered by Cumbria County Council. 

Local Government Reorganisation is a complex process and there will be a period of transition to allow for services and support systems to be securely transferred. 

During this time existing arrangements for data processing will be maintained until they can be reviewed, and new Privacy Notices issued.  Individuals wishing to understand more about how their data is processed should refer to the following Privacy Notices:   


As an organisation that processes large amounts of personal, special category personal or criminal/law enforcement data, referred to in legislation as a data controller, the council is required to register with the Information Commissioner’s Office (ICO)

Name: Cumberland Council

Address: Cumbria House, 117 Botchergate, CarlisleCumbria, CA1 1RD

Registration Number: ZB512758

The council’s Registration Certificate can be viewed here:

Information Commissioner's Office: Cumberland Council Registration Certificate

In most cases Cumberland Council is the data controller, however there may be instances where data is shared with another party as joint Data Controllers, or where the Council is operating as a data processor for another party.

Personal data

UKGDPR Article 4 defines personal data as: any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Special category personal data

UKGDPR Article 9 defines special category personal data as: racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation.

Criminal/law enforcement data

The council is a competent authority as described in Schedule 7 of the Data Protection Act 2018 and is permitted to process data for law enforcement purposes that include: the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.

Information the council collects about you

The council will only collect personal, special category personal or criminal/law enforcement data where it is required to deliver a service or to meet a statutory requirement.

In general, the council collects the following types of personal data (dependent on the nature of the service(s) you are applying for or receiving):

  • business activities
  • case file information
  • date of birth 
  • education i.e., qualifications
  • email address (personal/work)
  • employment history
  • family details i.e., next of kin
  • finance/bank/payment details
  • housing needs
  • identifiers i.e., NHS Number
  • licenses or permits
  • lifestyle and social circumstances
  • name
  • physical description, appearance and behaviour
  • postal address
  • services received
  • telephone numbers (mobile/landline)
  • visual images i.e., photographs, CCTV

The council will also collect information which is not unique to you i.e., gender, postcode.

The council may also collect special category personal data that includes:

  • biometrics i.e., fingerprints, facial recognition
  • criminal record including offences (including alleged offences), proceedings, outcomes and sentences
  • ethnic origin
  • physical or mental health
  • political affiliation/opinions
  • race
  • religious or other beliefs
  • sex life
  • sexual orientation
  • trade union membership

Less often, the council may collect criminal/law enforcement data, that includes:

  • criminal convictions
  • offences

Personal, special category personal or criminal/law enforcement data being collected and processed at service-level will be laid out in specific Privacy Notices.

How the council collects data about you

In general, the council will collect personal, special category personal or criminal/law enforcement data from you in the following ways:  

  • on a paper or online form
  • by telephone
  • by email
  • recorded by CCTV cameras, or
  • in person by a member of our staff or one of our partners

Why the council collects your personal data

The council collects personal, special category personal or criminal/law enforcement data to enable it to:

  • manage the services we provide to you including improving quality and investigating any worries or complaints about those services
  • corporate administration and all activities we are required to carry out as a data controller and public authority
  • conduct committee meetings including virtual meetings
  • registering and maintaining online customer accounts
  • support internal financial and corporate functions by maintaining accounts and records
  • support and manage employees
  • planning of new services
  • promote services
  • market local tourism
  • conduct public/health awareness campaigns
  • manage property
  • provide leisure and cultural services
  • provide education services
  • carry out surveys and consultations
  • administer the assessment and collection of taxes and other revenue i.e., benefits, grants
  • carry out licensing and regulatory activities
  • provide social services to adults and children
  • assist with crime prevention and prosecution of offenders i.e., CCTV
  • undertake research
  • provide all commercial services i.e., administration and enforcement of parking regulations and restrictions
  • provide non-commercial activities i.e., refuse collections from residential properties
  • manage archived records for historical research
  • match data under local and national fraud initiatives
  • support public health services 
  • monitor equality, diversity and inclusion

Who the council collects personal data from

To provide services the council may need to collect personal, special category personal or criminal/law enforcement data from or about the following:

  • businesses, customers and suppliers
  • carers or representatives
  • claimants
  • complainants, enquirers or their representatives
  • healthcare users 
  • landlords
  • licence and permit holders
  • offenders and suspected offenders
  • patients
  • people captured by CCTV images
  • professional advisers and consultants
  • recipients of benefits
  • representatives of other organisations
  • staff, persons contracted to provide a service
  • councillors
  • students and pupils
  • traders and others subject to inspection
  • witnesses
  • speaking members of public at committee meetings, including virtual committee meetings
  • other departments within the council

We may receive personal, special category personal or criminal/law enforcement data about you from the third parties mentioned above and other public bodies and organisations.  In this case, we will tell you the source of the information unless we are unable to do so by law.

Who the council shares personal data with

Where there is a lawful reason to do so the council may share personal, special category personal or criminal/law enforcement data with: 

  • business associates and other professional advisers
  • courts, prisons and tribunals
  • credit reference agencies
  • current, past and prospective employers
  • customers
  • customs and excise
  • data processors
  • debt collection and tracing agencies
  • educators and examining bodies
  • employees and agents of the data controller
  • family, associates or representatives of the person whose personal data we are processing, e.g., next of kin, Power of Attorney, Guardians
  • financial organisations
  • fire authorities
  • healthcare, social and welfare organisations and professionals
  • housing associations and landlords
  • international law enforcement agencies and bodies
  • law enforcement and prosecuting authorities
  • legal representatives
  • licensing authorities
  • local and central government departments
  • Local Government Ombudsman/Information Commissioner
  • partner agencies, approved organisations and individuals working with the police
  • persons making an enquiry or complaint
  • police complaints authority
  • police forces
  • political organisations
  • press and the media
  • private investigators
  • professional advisers and consultants
  • professional bodies
  • providers of goods and services
  • regulatory bodies
  • religious organisations
  • security companies
  • service providers
  • students and pupils including their relatives, guardians, carers or representatives
  • survey and research organisations
  • the disclosure and barring service
  • trade unions
  • voluntary and charitable organisations
  • other departments within the council to allow us to provide efficient and effective services

We will also comply with requests for specific personal, special category personal or criminal/law enforcement data from other Local Authorities or regulatory and law enforcement bodies where this is necessary and proportionate.  Before sharing we will always ensure that our partners have sufficient measures in place to protect your information in the same way we do.

We will never share your personal, special category personal or criminal/law enforcement data for marketing purposes, without your express consent.

Where the Council identifies the requirement to process personal, special category/sensitive or criminal/law enforcement data, depending on the specific data being shared, it must have at least one of the following:

If we are relying on consent to process your personal, special category personal or criminal/law enforcement data, you have the right to object at any time by contacting the service or officer the data was provided to. 

CCTV and Surveillance

We operate surveillance equipment within some of our services for the purpose of either, public and staff safety, or the prevention and detection of crime. CCTV is also installed on the outside of some of our buildings for the purposes of monitoring building security and crime prevention and detection.

Civil Enforcement Officers (CEOs) who undertake the enforcement of parking restrictions, are each equipped with a Body Worn Video Device (BWVD), which has both video and audio recording capability.

Images captured by CCTV will be kept in accordance with the council’s Retention and Disposal Schedule.  However, on occasions there may be a need to keep images for longer, for example where a crime is being investigated.  Images can be requested by writing to: dataprotection@cumberland.gov.uk

We will only disclose images and audio to other authorised bodies who intend to use it for the purposes stated above.  Images and audio will not be released to the media for entertainment purposes or placed on the internet for public viewing.

We operate CCTV and disclose in accordance with the codes of practice issued by the Information Commissioner and Biometrics and Surveillance Camera Commissioner. 

Covert surveillance will not be carried out by the council unless authorisation is granted under the Regulation of Investigatory Powers Act (RIPA). 

National Fraud Initiative/Data Matching

The Council participates in the Cabinet Office's National Fraud Initiative: a data matching exercise to assist in the prevention and detection of fraud. We are required to provide particular sets of data to the Minister for the Cabinet Office for matching for each exercise.  For further information please see:  National Fraud Initiative: Public Sector Data Requirements.

For further information on how your data is processed by the council please see:

Cumbria County Council

Allerdale Borough Council

Carlisle City Council

Copeland Borough Council

Elected Members

In order for Elected Members to act on your behalf and resolve the issues you have raised they may need to collect some personal, special category personal or criminal/law enforcement data.  This could include your name and address, and/or sensitive personal data, which could be concerning your health or ethnic origin.

In some circumstances your explicit consent may be needed to allow for the processing of your data.  If this is needed the relevant Elected Member will contact you directly.

Elected Members will:

  • only share data with the organisations necessary to deal with your enquiry i.e., different council departments, and to resolve any issues you have raised
  • not share your data with third parties, unless it is required for law enforcement purposes to prevent or detect crime, to protect public funds or where required or permitted to share data under other legislation
  • keep your data secure using the council's secure IT and email systems
  • retain/destroy your data in accordance with the council's Retention and Disposal Schedule

You have the right to access your personal, special category personal or criminal/law enforcement data and to rectify mistakes, erase, restrict, object or move your data in certain circumstances.

You can withdraw your consent for your personal, special category personal or criminal/law enforcement data to be processed as described above at any time.  If you would like this to happen or you have a complaint about how your data is handled, please contact your Elected Member.

If you are not satisfied with the response or believe the Elected Member is not processing your personal, special category personal or criminal/law enforcement data in accordance with the law you can complain to the Information Commissioner's Office (ICO).

Data transfers

It may sometimes be necessary to transfer personal, special category personal or criminal/law enforcement data beyond the UK to comply with legal or other obligations. 

Where data is required to be transferred to the European Union or other adequate countries the council will ensure that all relevant safeguards are in place before this takes place and that all aspects of the UKGDPR/Data Protection Act 2018 are complied with.

Data requested for transfer to non-adequate countries will be subject to a Transfer Impact Assessment, that includes the identification of appropriate safeguards prior to data being authorised for transfer.  

Data security and retention

The council is required by UKGDPR Article 32 to ensure that appropriate organisational and security measures are in place to protect your personal, special category personal or criminal/law enforcement data.

Security measures include: anonymisation, pseudonymisation, encryption, access controls on systems, regular testing of our systems, security training for all employees.   You can find further information in the following documents:

If you access information online, the council website does not store or capture personal information, but merely logs a number called your IP address which is automatically recognised by the system. The system will record personal information if you:

  • subscribe to or apply for services that require personal information
  • report a fault and give your contact details for us to respond
  • contact us and leave your details for us to respond

For further information visit our Cookies Web Page.

Cumberland Council will only store your information for as long as is legally required, or in situations where there is no legal retention period established best practice will be followed. In accordance with our Retention and Disposal Schedule (Excel, 339KB).

To help you understand the Schedule the council has published a Retention Schedule - Quick User Guide 

If you have any questions about the Schedule or the Quick User Guide, please contact the Records Management service email: record.centre@cumberland.gov.uk

If you experience any problems in relation to your personal data or you see something that doesn't look right, contact the council by email at: databreaches@cumberland.gov.uk

Contacting us


If you email us, we may keep a record of your contact and your email address and the email for our record keeping of the transaction.  We suggest that you keep the amount of confidential information you send to us via email to a minimum and use our secure online forms and services.  Where available, you can sign up for email alerts for selected services using an external service from GovDelivery, with control over your preferences.

Telephone calls

The council will inform you if your telephone calls are being recorded or monitored and will not record any financial card details if you make payments by telephone.

Your rights - Data Subject Access

The UKGDPR provides you with the right to access the personal, special category personal or criminal/law enforcement data the council, as a public authority holds about you. Upon receipt of a valid request the council will:

  • provide you with a response within one month
  • let you know if your request is subject to an extension
  • make reasonable efforts to comply with the format of your request
  • inform you if your request is going to be refused or a charge is payable

We will not disclose:

  • any information that relates to a third party as this will breach their rights under UKGDPR/Data Protection Act 2018
  • where a professional thinks disclosure would cause serious harm to you or someone else
  • information that may hinder the prevention or detection of crime.

You can make a Data Subject Access Request by contacting:

Your rights - other

In addition to your right of access the UKGDPR gives you the following rights:

  • the right to be informed via the council's Privacy Notice
  • the right to withdraw your consent. If we are relying on your consent to process your data, then you can remove this at any point
  • the right of rectification, we must correct inaccurate or incomplete data within one month
  • the right to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information. Where your personal data has been shared with others, we will ensure those using your personal data comply with your request for erasure.
  • the right to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future
  • the right to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked
  • the right to object. You can object to your personal data being used for profiling, direct marketing or research purposes
  • you have rights in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

Where our processing of your personal, special category personal or criminal/law enforcement data is based on your consent, you have the right to withdraw your consent at any time. If you do decide to withdraw your consent, we will stop processing your personal data for that purpose, unless there is another lawful basis we can rely on - in which case, we will let you know. Your withdrawal of your consent won't impact any of our processing up to that point.

Where our processing of your personal, special category personal or criminal/law enforcement data is necessary for our legitimate interests, you can object to this processing at any time. If you do this, we will need to show either a compelling reason why our processing should continue, which overrides your interests, rights and freedoms or that the processing is necessary for us to establish, exercise or defend a legal claim. 

Unless otherwise stated above you can exercise any of these rights by contacting:

Email: dataprotection@cumberland.gov.uk  

Post: Cumbria House, 117 Botchergate, Carlisle, Cumbria, CA1 1RD

Verifying your identity

When exercising the rights mentioned above, please be aware that under UKGDPR Article 12(6) additional information can be requested to verify that you are the data subject if your identity is unconfirmed. Please note that:

  • additional documentation is only required when the council cannot verify your identity using internal council systems that relate to the service you are requesting information about
  • the council will contact you for this documentation prior to processing your request
  • the statutory deadline for responding to your request will start when you have provided the additional documentation
  • failure to provide additional documentation may lead to the council rejecting your request.


If you have concerns about the way the council has processed your data, please contact:

Email: dataprotection@cumberland.gov.uk  

Post: Cumbria House, 117 Botchergate, Carlisle, Cumbria, CA1 1RD

If you are not satisfied with our response or believe we are not processing your personal data in accordance with the law you can complain to the Information Commissioner's Office (ICO)