Legal privacy notice

Who is the data controller for the information we collect

This Privacy Notice is provided to meet the requirements of the UK General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA) to explain how we process your personal data in delivering Legal Services. 

Leeds City Council is the data controller for the purposes of the Data Protection Act 2018 and other regulations including the UK General Data Protection Regulation, which means it determines what your data is used for and why it is collected. The contact details of the Council are Civic Hall, Calverley Street Leeds LS1 1UR.

The data we will collect 

To deliver Legal Services we will process data that includes 

  • Name
  • Address
  • Date of birth etc
  • Contact details
  • Images
  • Financial information
  • Employment information
  • Identity documents
  • Social Care 

Special Category (including finance data):

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership;
  • genetic data;
  • data concerning health;
  • data concerning a person’s sex life; and
  • data concerning a person’s sexual orientation.

Criminal offence data

Personal information about offenders or suspected offenders in the context of:

  • criminal activity;
  • allegations;
  • investigations; and proceedings.
  • unproven allegations
  • information relating to the absence of convictions.

How do we collect information about you

We may collect information about you from you directly.

We may also obtain information about you from other sources such as:

  • internal council departments
  • other persons acting on your behalf, for example, your solicitors
  • other public authorities, including the police, other local authorities, and government agencies
  • other third parties or outside agencies,
  • courts
  • health agencies

Why we process your data

We use your information to:

  • to undertake legal work in respect of the Council’s statutory functions and activities
  • to undertake legal work for external clients (such as other local authorities)
  • to monitor Regulation of Investigatory Powers (RIPA) authorisations
  • to provide a land charges service

All the data collected will be treated in strict confidence and in accordance with the requirements of the Data Protection Act 2018 and UK General Data Protection Regulation (UK GDPR). The data provided by you will only be used for the purpose(s) specified.

Lawful basis for processing

We will process your data in accordance with UK GDPR Article 6(1). The processing shall be lawful only if and to the extent that the following applies:

  • Article 6(1)(b) - We have a contractual obligation and need to process your personal data to comply with obligations under the contract or in preparation for entering the contract.
  • Article 6(1)(c) - We have a legal obligation - To fulfil legal obligations under statute or common law relating to all areas of the Council’s statutory or other functions, including: adult social care, childcare, employment, education litigation, commercial property, planning, highways, environmental, local government, coronial, judicial review, the Local Land Charges Act of 1975 and Rules of 1977, the Regulation of Investigatory Powers Act 2000
  • Article 6(1)(d) - We have a vital interest
  • Article 6(1)(e) - We need it to perform a public task.

We will process your special category data in accordance with UK GDPR Article9(2). The processing shall be lawful only if and to the extent that the following applies:

  • Article 9(2)(b) – processing is necessary to carry out our obligations and specific functions in the field of employment, social security and social protection as laid out in law. Where we are relying on this provision, we will also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018
  • Article 9(2)(f) – processing is necessary for the establishment, exercise or defence of legal claims and judicial acts.
  • Article 9(2)(g) – processing is necessary for reasons of substantial public interest, we will also need to meet one of the specific substantial public interest conditions set out in Part 2 of Schedule 1 of the DPA 2018.
  • Article 9(2)(h) – processing is necessary for the purposes of provision of health or social care systems and services as laid out in law. Where we are relying on this condition, we will also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.
  • Article 9(2)(i) – processing is necessary for reasons of public interest in the area of public health as laid out in law. Where we are relying on this condition, we will also need to meet the associated condition in UK law, set out in Part 1 of Schedule 1 of the DPA 2018.

For those instances which require additional conditions in Parts 1 and 2 of Schedule 1, some of these are listed below:

  • employment, social security and social protection
  • health or social care purposes
  • statutory and government purposes
  • preventing or detecting unlawful acts
  • protecting the public against dishonesty
  • regulatory requirements relating to unlawful acts and dishonesty
  • preventing fraud
  • suspicion of terrorist financing or money laundering
  • safeguarding of children and individuals at risk
  • elected representatives responding to requests
  • disclosure to elected representatives
  • vital interests
  • not-for-profit bodies
  • legal claims
  • insurance

All the listed conditions require an Appropriate Policy Document to be in place, which sets out and explains the procedures for securing compliance with the principles in Article 5 and policies regarding the retention and erasure of such personal data. The Council’s Appropriate Policy Document provides further information about this processing and supplements this privacy notice.

Data retention, storage and destruction

Our data retention policies and procedures are designed to help ensure that we comply with our legal obligations in relation to the retention. This means that your information will be kept for a specific period as set out in our retention schedule after which it will be deleted or archived. Some of the information may be kept for longer where it is required by the law or if there is a business requirement to do so. For more information about specific retention periods please contact us.

Who can we share your data with

We share your data with organisations and agencies some of which are shown below as follows: 

  • other council departments
  • elected members and MPs
  • union representatives (with your consent)
  • courts and tribunal
  • representatives of other parties
  • solicitors, barristers and experts
  • the police and other crime enforcement agencies
  • service providers such as bailiffs
  • other public authorities (such as government departments, other councils, HMRC, HM Land Registry, DWP and immigration services)
  • regulatory bodies
  • auditors
  • educational establishments
  • health agencies
  • our insurers and others

In addition, we will share your personal data:

  • where such disclosure is necessary for compliance with a legal obligation to which we are subject
  • in order to protect your vital interests or the vital interests of another natural person
  • for the purposes of security and prevention of fraud and other criminal activity
  • where such disclosure is necessary for the establishment, exercise, or defence of legal claims, whether in court proceedings or in an administrative or out-of-court procedure

Automated decision making

Your data will not be used for any automated decision making, including profiling.

Your rights

The following rights under data protection law are available under the UK GDPR:

  • the right to access – you can ask for copies of your personal data
  • the right to rectification – you can ask us to rectify inaccurate personal data and to complete incomplete personal data
  • the right to erasure - where you can ask us to erase your personal data
  • the right to restrict processing – you can ask us to restrict the processing of your personal data
  • the right to data portability (where you can ask that we transfer your personal data to another organisation or to you
  • the right to object to processing (where you can object to the processing of your personal data)
  • the right to complain to a supervisory authority – you can complain about our processing of your personal data
  • the right to withdraw consent (to the extent that the legal basis of our processing of your personal data is consent, you can withdraw that consent

Where we process your information under legal obligation certain rights to do not apply, such as erasure, data portability, objection to processing and the right to withdraw consent. 

Where we process your data under the public task basis, certain rights to do not apply, such as erasure, data portability and the right to withdraw consent. 

Where we process your data under the contractual obligation, certain rights to do not apply, such as right to object and to withdraw consent. 

These rights are subject to certain limitations and exceptions. You can learn more about your rights through the ‘Your individual rights and how to exercise them’, and the Information Commissioner’s Office website. You may exercise any of the above rights in relation to your personal data by writing to us, using the contact details provided below.

When your data gets sent to other countries

The majority of personal information is stored on systems in the UK but there are some occasions where your information may leave the UK either in order to get to another organisation or if it is stored in a system outside of the UK. 

We have additional protections on your information if it leaves the UK ranging from secure ways of transferring data, to ensuring we have a robust contract in place with that third party. 

We’ll take all practical steps to make sure your personal information is not sent to a country that is not seen as ‘safe’ either by the UK or EU Governments.

If we need to send your information to an ‘unsafe’ location, we’ll always seek advice from the Information Commissioner first.

Contact us

Any queries in relation to this Privacy Notice should be forwarded to:

Email: LEG.FOI@leeds.gov.uk 

Data Protection Officer

Aaron Linden
Head of Information Management and Governance - Data Protection Officer
Leeds City Council
Merrion House
110 Merrion Way
Leeds
LS2 8BB
DPO@leeds.gov.uk

The Council privacy notice is available to view.

Complaints

If you are unhappy with the way in which your information has been handled you should speak with the specific service in the first instance. 

Any data protection complaints about how the council has processed your personal data, will be handled in accordance with the council’s Complaints Policy. You can find out how to submit a complaint online.

If we cannot resolve your complaint, you can refer to the Information Commissioner if you consider that there has been an infringement of data protection legislation. Further details can be found on the Information Commissioner’s website.

Changes to this notice

We keep our privacy notice under regular review. We will notify you of significant changes to this notice by email or other means as appropriate. This privacy notice was last updated April 2025