Skip to content

How the Council uses your information

Boston Borough Council takes the privacy and security of its clients, staff and citizens seriously. We try our best to manage all personal data in a safe and responsible manner.


To provide a number of services and lawful functions Boston Borough Council has access to a large amount of private & personal Information about people, their lives and their finances.  In some cases the types of information the Council can collect include 'special category' information which is considered to be more sensitive.  This includes race, ethnic origin, religion, politics, genetics, biometrics, health, trade union membership, sex life or sexual orientation.  Sometimes information is given to the Council by the person it relates to, sometimes by a partner agency other times it is collected by the Council directly.

Each person has a right to know that the Council is using, storing and sharing their information in a clear and transparent way.  The Data Protection Act has provisions in expressing certain 'subject's rights' that an individual can use to see, amend and challenge the use of information within 30 days of the request.

In some cases the Council is using information to meet a lawful obligation placed upon the Council by a series of Laws.  In this case the Council may need to withhold some of the 'subject's rights'.

If an individual has any concerns regarding the use, or potential misuse or loss of their information by Boston Borough Council then they can contact the Councils Data Protection Officer. 

Notice (to meet Article 13 - GDPR):

The Data Controller

Boston Borough Council
Municipal Buildings
West Street
PE21 8QR


General Council Functions including Benefits, Housing and CCTV

Returning Officer -

Boston Borough Council
Municipal Buildings
West Street
PE21 8QR


For election and electoral functions

The Data Protection Officer

Data Protection Officer
Municipal Buildings
West Street
PE21 8QR


Telephone: 01205 314368

Purposes for Processing


The Council must have a lawful reason to use personal information under the Data Protection Act.  This is listed below - or expanded in the departmental fair processing statement:

·         The Council may process personal information to comply with Legal or Statutory Powers and Obligations.

·         The Council may need to process information in undertaking a contract; or to establish a contract.

·         The Council may process information if it has legitimate business reasons.

·         The Council may process with your given consent.


On request the Council must be able to demonstrate the legal and proportionate reason for processing any personal information.  Failure to do so may be an offence under the Data Protection Act.





Your Rights under the Data Protection Act.

'Right to be informed' means we will be completely clear and transparent about how we plan to use your personal information

'Right of access' means that you can request a copy of the personal information that we hold about you, have an explanation why it is held and who we have shared it with; within one month.

'Right to rectification' means you can ask us to update or amend your details that we hold if you believe them to be incorrect.

'Right to restrict processing' means you can ask us to change, restrict or stop the way that we are using your information - in most cases the Council has a Specific Legal Reason to use your information, but this will be explained on application.

'Right to erasure' means that you can ask us to remove any personal data from our systems, again where the council has a legal reason or duty to record your information this right may be limited.

'Right to data portability' means that you can ask to have a copy of your information from our systems in a format that allows reuse for your own purposes.

'Right not to be subject to automated decision making' means that if we use a computer system to make an automatic decision about you, you have the right to ask for a human to intervene and decide, this may change the outcome.

You have the right to complain to any of the supervising Authorities, The information Commissioner's Office (ICO) if you are not satisfied with how we manage your privacy or you feel we have acted incorrectly.

The obligation to notify relevant third parties

In giving effect to the rights discussed above, the GDPR also imposes a new obligation on data controllers. Where a data controller has disclosed personal data to third parties, and the data subject subsequently exercises any of the rights of rectification, erasure or restriction, the GDPR requires the data controller to inform such third parties of the fact that the data subject has exercised those rights (unless this is 'impossible or involves disproportionate effort'). The data subject is also entitled to request information about the identities of the third parties to whom his or her personal data have been disclosed. For organisations that routinely disclose personal data to a large number of third parties, this may become particularly burdensome.

The right to bring class actions

The GDPR grants data subjects the right to be collectively represented by not-for-profit bodies. Data subjects may mandate such bodies to act on their behalf and exercise their rights, including the right to bring complaints to DPAs, and to seek judicial remedies against data controllers and data processors. This appears to pave the way for class actions brought by data subjects against organisations that have infringed their data protection rights. As a result, organisations are likely to face substantially greater litigation risks under the GDPR than they face under the Directive.