Who we are
The Tees Valley Combined Authority (TVCA) is a Combined Authority covering the Local Authority areas of Darlington, Hartlepool, Middlesbrough, Redcar & Cleveland and Stockton-on-Tees. We are a statutory body and you can contact us as follows:
Tees Valley Combined Authority,
Teesside Airport Business Suite,
Teesside International Airport,
Data Protection Officer: DPO@teesvalley-ca.gov.uk
If you wish to complain about the use of your personal data, you can contact the Information Commissioner’s Office at the below address:
Wilmslow SK9 5AF www.ico.org.uk
This Policy outlines the Tees Valley Combined Authority’s Privacy, Cookies and Fair Processing Policy.
This Policy outlines our commitment in using data both fairly and in accordance with Data Protection principles.
This policy applies to data you provide to us or which we collect about you, including data collected via the websites that the Tees Valley Combined Authority operates at the following URLs:
|www.teesvalley-ca.gov.uk||Tees Valley Combined Authority|
|www.enjoyteesvalley.com||Enjoy Tees Valley|
|www.teesvalleycareers.com||Tees Valley Careers|
|www.teesinvest.com||Invest Tees Valley|
|www.teesvalleybusiness.com||Tees Valley Business|
|Buylocal.teesvalley-ca.gov.uk||Buy Local Tees Valley|
|www.teesvalley.jobs||Tees Valley Jobs|
|www.neyenergyhub.com||North East and Yorkshire Energy Hub|
|www.enjoyteesvalley.com/industry||Enjoy Tees Valley Industry|
These websites and trading styles are all brands of Tees Valley Combined Authority which remains the data controller and the responsible statutory body in relation to these websites and brands.
Tees Valley Combined Authority, along with the websites associated above process all data fairly and lawfully in line with Data Protection laws.
How we collect different types of information
The personal information we collect is that which data subjects provide to the organisation via direct engagement. This includes, but is not limited to information provided via:
- consultation responses
- information provided by attendees at events
- information provided when joining mailing lists
- information provided in relation to grants, applications, monitoring and appraisal
- complaints and feedback
- survey responses
- job applications and employee information
- applications for employment and skills related programmes.
- information to allow us to arrange meetings and circulate papers for these meetings
- information provided in relation to procurement and contracts for goods and services
- other contractual information
- information to allow us to administer the devolved Adult Education Budget
- information to allow us to produce pupil projections to assist our Constituent Authorities to plan for school place demand
- information to allow is to act as Lead Authority for the UK Community Renewal Fund bid process (see Appendix 1 below)
- information to allow us to act in our capacity as the Energy Hub for the North East and Yorkshire
Who the information relates to
The information we collect, as described above, is from a variety of different sources. This personal data relates to the following categories of data subject:
- Mailing lists/Contact lists
- Grant Applicants and Recipients
- Employees, secondees and temporary workers**
- Organisations with which we partner or share data
- Other people we work with
- Members, Officers of other organisations
If you are one of our suppliers, we will use information we hold on you to manage the contract between us and to improve services. The information we hold may include information about your performance in providing services to us or to our clients.
** Employee information
If you are an employee of TVCA we will handle your personal data in accordance with our employee specific privacy notice, which you will have received with your welcome pack and is available on request from DPO@Teesvalley-ca.gov.uk
|_ga||Google Analytics||Used to identify users and generates statistical data on the way they use our website.||2 years|
|_gid||Google Analytics||Used to identify users and generates statistical data on the way they use our website.||24 hours|
|_gat||Google Analytics||Used by Google Analytics to limit request rates.||10 minutes|
|_utma||Stores the amount of visits, time of the first visit, the previous visit and current visit for each user.||never|
|_utmb||Used by Google to identify how long a user stays on the website||end of session|
|_utmc||Used by Google to identify how long a user stays on the website||30 minutes|
|_utmt||Used by Google to limit request rates.||10 miuntes|
|_utmz||Used by Google to identify how the user navigated to the website||6 months|
|DYNSRV||website||Used to manage load balancing to manage server traffic demand.||session|
|ADMINDYNSRV||website||Used to manage load balancing to manage server traffic demand.||session|
|cerber_groove||website||A security cookie used to validate the user session.||2 weeks|
|wordpress_logged_in_||website||Used to identify if the current user is logged in.||session|
|wordpress_sec_[hash]||website||Used to store authentication details.||session|
|wp-settings-||website||Used to customize users view of the admin interface, and possibly the main site interface.||session|
|wp-settings-time-||website||Used to customize users view of the admin interface, and possibly the main site interface.||session|
|hidebanner||website||Stores the user’s cookie consent state for our website||1 year|
|wpe_auth||website||Provides administrators access to server related features from the CMS||session|
|cookieconsent_dismissed||website||Stores the users cookie consent state for our website||1 year|
|october_session||website||Stores the last visitor session||2 hours|
|admin_auth||website||Stores the last administrator session||5 years|
|user_auth||website||Stores the last user session||5 years|
|wpSGCacheByPass||website||Used to improve the speed and performance of the website||1 hour|
|PHPSESSID||website||Stores a message when a form is submitted which can be displayed on a different page.||session|
|XSRF-TOKEN||website||This cookie is written to help with site security in preventing Cross-Site Request Forgery attacks.||End of session|
|escn-notice||Electric Studio Cookie Notice plug-in||Stores the user’s cookie consent state for our website||1 year|
|(random characters)||website||Used by the site firewall to prevent attacks to the site from malicious software and hackers||1 Day|
How we process personal information
Personal information is processed for the following specified purposes:
- processing your requests and delivering services you request from us
- sending you information which you have requested
- auditing the usage of our websites
- monitoring the usage of our websites to enable us to update and tailor our websites to meet the needs of users
- considering applications for grants, processing grant claims and monitoring grant performance and compliance
- to allow us to allocate funding devolved from government
- to assist the Tees Valley local authorities with planning for school place requirements
- preparing information for decision making by Boards and Committees
- sending marketing information only where a person has specifically consented to this
- running procurement processes, awarding contracts and monitoring contractual performance and delivery
- to comply with our legal obligations including fraud protection and crime prevention
Tees Valley Combined Authority is committed to the highest standards in relation to all aspects of fair processing and this is outlined throughout our information governance principles (this is the collection, storage, security, use, appropriate release and destruction in relation to data).
Fair Processing Notices
Our commitment to the highest standards in all aspects of fair processing is important to us to ensure our stakeholders are aware of how we collect and process their information.
We pride ourselves by being fair and transparent to ensure effective relationships with our stakeholders are maintained. Accountability for their information is our main priority.
How we keep information safe
Only employees of Tees Valley Combined Authority or those specifically authorised by us will have access to your information.
We keep this information secure by taking appropriate technical and organisational measures against any unauthorised or unlawful processing and against its accidental loss, destruction or damage.
Unfortunately, the transmission of information via the internet is not always completely secure and this is something we recognise. We will always do our best to protect any personal data, once we receive your data, we use strict procedures and have security processes in place to prevent any loss, breach or unauthorised access to it; we strive by a policy that data should only be accessed by those that need to.
If there is a breach of security involving your personal information which we are concerned will involve risks to you, we shall, without undue delay, work to mitigate those risks and contact you and/or the data privacy supervisory authority in accordance with applicable laws.
How we share information
There are times where we need to share information with those within our constituent authorities, organisations within our group structure or suppliers that provide us with a service.
These providers are obliged to keep your details secure and use them only to fulfil a purpose. If we wish to pass your sensitive or confidential information onto a third party, we would only do so once we have obtained your consent, unless we are legally required to do so.
We may disclose information to other partners without consent where it is necessary, either to comply with a legal obligation, or where permitted under Data Laws, e.g. this could be where the disclosure is necessary for the purposes of the prevention and/or detection of crime or necessary to perform our contract with you.
We have an information sharing protocol with our constituent authorities and those that provide us with services (e.g. Internal Auditors, External Auditors) so they are aware of the responsibilities between Tees Valley Combined Authority (as the controller) and the service being provided (as the processor). We do this so you can be confident that all our constituent authorities and those that provide services to us comply with our privacy principles.
We also take responsibility for any information that is shared with us by a constituent authority and act in accordance with the principles and privacy notices of an organisation/authority for any occasions where Tees Valley Combined Authority may act as a processor. We apply the same commitment to this information.
At no time will your information be passed to organisations external to us and our partners, for marketing or sales purposes or for any commercial use without your prior expressed consent.
Lawful Grounds for Processing
We have set out below, in a table format, a description of all the usual ways we plan to use your personal data, and which of the legal bases we rely on to do so. We have also identified what our legitimate interests are where appropriate.
Note that we may process your personal data for more than one lawful ground depending on the specific purpose for which we are using your data. Please contact us if you need details about the specific legal ground we are relying on to process your personal data where more than one ground has been set out in the table below.
|Purpose/Activity||Type of data||Lawful basis for processing including basis of legitimate interest|
|To respond to enquiries submitted by you via our website or other contact points||(a) Identity|
|(a) Performance or preparation to perform of a contract with you and/or|
(b) Either: Necessary for our legitimate interests or further to performance of a public task and/or
(c) Your consent
|To process and deliver any grant or funding applications:|
(a) Manage payments, fees and charges
(b) Process and verify claims
(c) Monitor performance against fund specific requirements
(e) Marketing and Communications
|(a) Performance of a contract with you|
(b) Either: Necessary for our legitimate interests or further to performance of a public task and/or
(c) Your consent
|To manage our relationship with you which will include:|
(b) Asking you to provide further information on any enquiry or application you’ve made to us
(c) creating and organising committees
(d) declarations of interest from committee members
(d) Marketing and Communications
(e) List of Financial or other interests
|(a) Performance of a contract with you and/or|
(b) Necessary to comply with a legal obligation and/or
(c) Either: Necessary for our legitimate interests (to keep our records updated and to study how customers use our products/services) or Performance of a Public Task and/or
(d) Your consent
|To administer and protect our business and this website (including troubleshooting, data analysis, testing, system maintenance, support, reporting and hosting of data)||(a) Identity|
|(a) Necessary for our legitimate interests (for running our website and organisation, provision of administration and IT services, network security, to prevent fraud and in the context of a business reorganisation or group restructuring exercise)|
(b) Necessary to comply with a legal obligation
|To deliver relevant website content and advertisements to you and measure or understand the effectiveness of the advertising we serve to you||(a) Identity|
(e) Marketing and Communications
|Either necessary for our legitimate interests or further to performing a public task (where applicable) (to study how users interact with our website and/or services, to develop them, to grow our organisation and its influence/impact on the local community and to inform our marketing strategy)|
|To use data analytics to improve our website, services, marketing, user relationships and experiences||(a) Technical|
|Necessary for our legitimate interests (to define types of users for our services, to keep our website updated and relevant, to develop our organisation and to inform our marketing strategy)|
|To make suggestions and recommendations to you about events, committees, grants or services that may be of interest to you||(a) Identity|
(f) Marketing and Communications
|Either: necessary for our legitimate interests (to develop our products/services and grow our business) or (where applicable) in performance of a public task|
Disclosure of Data
We will only disclose your information to third parties when:
- we are required to do so by our funders – eg HM Government – or in relation to the funds we manage
- if there is a business/operational need to do so we will inform you and seek your consent as we may use third parties to process data on our behalf or run projects in conjunction with other organisations. Should we anticipate such activity we will inform you at the point we collect information.
- we are under a duty to do so in order to comply with a legal obligation or to protect the rights, property or safety of others; this includes, but is not limited to exchanging information with other organisations for the purposes of fraud protection and crime prevention
In the event that we need to transfer personal information outside of the European Economic Area (EEA), we will take all steps reasonably necessary to ensure that the appropriate safeguards are in place and that your information is processed securely.
We currently use a third party software service provider, MailChimp, to assist us with distribution of certain marketing and information materials. This may result in transfer of certain personal data to the United States. Transfer of personal data in these circumstances will be on the basis of the European Commission’s Standard Contractual Clauses. We always keep the personal data transferred to a minimum, usually only your name and contact details will be shared. Following recent decisions and guidelines issued in relation to transfer of European data to the US we will be keeping these transfer activities under review. If you do not wish to have your personal data processed in this way please do not sign up for our marketing emails. You can also unsubscribe from our e-marketing at any time by using the unsubscribe link, which is included with all our marketing emails.
We will retain your information in line with the period outlined at the time the data is collected and only for as long as it is necessary to do so and in accordance with our Data Retention and Destruction Policy.
Tees Valley Combined Authority would only send you a marketing email when you gave your consent to sign up to a mailing list, distribution list or newsletter.
We ensure that we have a system in accordance with data protection principles for any marketing we will ask you to give a positive opt-in to receiving marketing. This would always be your choice.
Tees Valley Combined Authority will only use your consented information to the purpose you sign up to a mailing list for (and nothing else) which will be explicitly given from the onset, for example:
- sign up to a newsletter or specific update
- consultation exercise
- sign up to a forum/event
- sign up for information regarding Committee meeting dates/information
As part of our internal procedures to ensure information is current and up to date, we will regularly review our e-marketing mailing lists to ensure that you still would like to receive information from us. We will always advise you that you are able to withdraw consent at any time regarding your information being included on our e-marketing mailing list and ask if you would like to specifically opt-out of the electronic mailing list; this option will always be visible and clear within any marketing contacts we send you.
If we make a mistake or your information changes
We like to ensure we keep information accurate and up to date. It is important that if we have any of your information inaccurate, incomplete or we have made an error, you notify us. Equally it is your duty to inform us of changes to your personal information. Please do so during the course of your relationship with us by emailing DPO@Teesvalley-ca.gov.uk
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a “data subject access request”). This enables you to receive a copy of the personal information we hold about you and to check that we are lawfully processing it.
- Request correction of the personal information that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request that we transfer a copy of your personal information to another party, please contact our Data Protection Officer via DPO@Teesvalley-ca.gov.uk
No fee usually required
You will not have to pay a fee to access your personal information (or to exercise any of the other rights). However, we may charge a reasonable fee if your request for access is clearly unfounded or excessive. Alternatively, we may refuse to comply with the request in such circumstances.
What we may need from you
We may need to request specific information from you to help us confirm your identity and ensure your right to access the information (or to exercise any of your other rights). This is another appropriate security measure to ensure that personal information is not disclosed to any person who has no right to receive it.
Right to withdraw consent
In the limited circumstances where you may have provided your consent to the collection, processing and transfer of your personal information for a specific purpose, you have the right to withdraw your consent for that specific processing at any time. To withdraw your consent, please contact DPO@teesvalley-ca.gov.uk. Once we have received notification that you have withdrawn your consent, we will no longer process your information for the purpose or purposes you originally agreed to, unless we have another legitimate basis for doing so in law.
Other Information Rights
The Right to Complain
You have a right to lodge a complaint about us with the Supervisory Authority at an any time. You can make a complaint to The Information Commissioner’s Office via this page: https://ico.org.uk/make-a-complaint/
Freedom of Information
Data can also be requested via a Freedom of Information request. We also have a FOI Publication Scheme on our website, that commits the Tees Valley Combined Authority to make information available to the public as part of its normal business activities. These can be found at https://teesvalley-ca.gov.uk/transparency/publication-scheme/
Data Protection Officer
If you have any questions or concerns, please contact our Data Protection Officer at DPO@Teesvalley-ca.gov.uk
Changes to our Notice
For further information the Information Commissioner’s Office Website provides further details regarding data protection principles and responsibilities at https://ico.org.uk
UK Community Renewal Fund: Tees Valley Combined Authority Privacy Notice
Updated 8th April 2021
The identity of the data controller and contact details of our Data Protection Officer
The Ministry of Housing, Communities and Local Government (MHCLG) is a data controller for all UK Community Renewal Fund related personal data collected with the relevant forms submitted to MHCLG, and the control and processing of Personal Data.
The Data Protection Officer for MHCLG can be contacted at firstname.lastname@example.org
Mayoral Combined Authorities, the Greater London Authority, County Councils or Unitary Authorities, have been designated as a ‘Lead Authority’ in Great Britain for the UK Community Renewal Fund. Each Lead Authority has been invited to run a local bidding process and will be a joint data controller for all UK Community Renewal Fund related Personal Data collected with the relevant forms as part of this process, and the control and processing of Personal Data, where such applications are not submitted to MHCLG for consideration.
The local Data Controller for all the information you provide on this form is Tees Valley Combined Authority, Teesside Airport Business Suite, Teesside International Airport, Darlington, DL2 1NJ. Data Protection Registration Number: Z4969253.
Why we are collecting your personal data
Your personal data is being collected as an essential part of the UK Community Renewal Fund bidding process, so that we can contact you regarding your bid and for monitoring purposes. We may also use it to contact you about matters specific to the Fund.
Legal basis for processing your personal data
Tees Valley Combined Authority will process all data according to the provisions of the Data Protection Act 2018 and the UK General Data Protection Regulation 2018 (UK GDPR) and all applicable laws and regulations relating to processing of Personal Data and privacy, including, where necessary, the guidance and codes of practice issued by the Information Commissioner and any other relevant data protection regulations (together “the Data Protection Legislation (as amended from time to time)”).
The Data Protection Legislation sets out when we are lawfully allowed to process your data. The lawful basis that applies to this processing is Article 6 (1) (e) of the UK GDPR; that processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; data being processed belongs to business contacts processed during the routine course of business of a government department.
With whom we will be sharing the data
As part of the process of selecting and monitoring the UK Community Renewal Fund, Tees Valley Combined Authority will share your personal data with relevant internal services and government departments including:
- Ministry of Housing and Local Government (MHCLG)
The data may also be shared with contractors where they are used for monitoring purposes, to evaluate the programme. Their contract will set out what they are permitted to do with personal data.
For how long we will keep the personal data, or criteria used to determine the retention period
If your bid is successful, your personal data will be held for up to two years from the closure of the bidding process. This is currently estimated to be July 2023. As part of the monitoring process, we will contact you regularly to ensure our records are up to date.
Should your bid be unsuccessful it will be held for audit purposes but will be deleted in line with our Data Retention and Destruction Policy.
Your rights, e.g. access, rectification, erasure.
Your personal information belongs to you and you have the right to:
- be informed of how we will process it
- request a copy of what we hold about you and in commonly used electronic format if you wish (if you provided this to us electronically for automated processing, we will return it in the same way)
- have it amended if it’s incorrect or incomplete
- have it deleted (where we do not have a legal requirement to retain it)
- withdraw your consent if you no longer wish us to process
- restrict how we process it
- object to us using it for marketing or research purposes
- object to us using it in relation to a legal task or in the exercise of an official authority
- request that a person reviews an automated decision where it has had an adverse effect on you
Sending data overseas
Your data will be held within Tees Valley Combined Authority’s secure network and premises and will not be processed outside of the UK. Access to your information will only be made to authorised members of staff who are required to process it for the purposes outlined in this privacy notice.
Any sub-contractor(s) or external organisations detailed in this privacy notice will also maintain the same levels of security that we do which are set out in the contract we have with them.
Automated decision making
We will not use your data for any automated decision making.
Storage, security and data management
Your personal data will be stored in a secure Combined Authority IT system. Where data is shared with third parties, as set out in the data sharing section above, we require third parties to respect the security of your data and to treat it in accordance with the law. All third parties are required to take appropriate security measures to protect your personal information in line with our policies.
Complaints and more information
If you would like to access any of the information we hold about you or have concerns regarding the way we have processed your information, please contact: Data Protection Officer, Tees Valley Combined Authority, Teesside Airport Business Suite, Teesside International Airport, Darlington, DL2 1NJ Tel: 01642 524400 Email: email@example.com
We would prefer any complaints to be made to us initially so that we have the opportunity to see if we can put things right. However, if you are unhappy with the way we have processed your information or how we have responded to your request to exercise any of your rights in relation to your data, you can raise your concerns direct with the Information Commissioner’s Office Tel No. 0303 123 1113 https://ico.org.uk/concerns/