Privacy Statement

This is an overview of how Kent County Council makes sure you understand how we use your personal information. The law requires us to provide information about who we are, how to contact us, the purpose for which your personal data is used and who we share it with.

To understand how your own personal information is processed refer to any personal communications you have received, check the privacy notices for the service or contact the service directly to ask about your personal circumstances.

The council provides a range of statutory and other services to local people and businesses and collects personal data for many purposes, so this general statement explains how we make sure you have the information you need at the point it is collected.

For information on how we will use your personal information during and in response to the COVID-19 (coronavirus) pandemic, please refer to the supplemental privacy information.

See privacy notices for Kent County Council’s services

Who we are

Kent County Council is registered as a data controller with the Information Commissioner’s Office (ICO) and we are regulated under the General Data Protection Regulation 2016.

Our ICO registration number is Z5297748: View our entry on the ICO data protection register.

Our Data Protection Officer is Benjamin Watts.

The personal information we collect and use

Information collected by us

Our services either collect personal information directly from you or receive it from third-parties. We only receive your personal data from outside agencies or third- parties where there is a sound legal basis and purpose for doing so.

When gathering and using personal information, we will comply with the data protection principles, as set out in the KCC data protection policy. Depending on the needs of the service and the purpose of processing, we may collect some or all of the following types of information:

  • Identity (name, date of birth, gender)
  • Contact (address, email address, telephone numbers)
  • Technical (IP address)
  • Education (student and pupil records)
  • Commercial Services data (services used)

Reasons we collect and use your personal information

We may need to use some information about you to:

deliver and manage the services and support we provide to you;

  • respond to enquiries or complaints
  • train and manage employees or volunteers who deliver those services;
  • control spending on services;
  • monitor the quality of our services; and
  • research and plan new services.

For the Council to be able to process your personal information we need to demonstrate that we have a lawful basis for doing so. 

The table below provides examples of some of our purposes for processing data and their lawful bases. This is by no means comprehensive.


a. Identity
b. Contact

Lawful basis for processing including the basis of any legitimate interest grounds

To register you as a customer/complainant

a. Identity
b. Contact

For a customer:

  • consent of the data subject, or performance of a contract with you, or
  • necessary for the performance of a task carried out in the public interest.

For a complainant:

Necessary for the performance of a public task in the public interest

To manage payment, fees and charges

To collect money owed to us

a. Identity
b. Contact
c. Financial

Performance of a contract with you

Necessary for the performance of a task in the public interest

Necessary to comply with a legal obligation

To administer and protect our website (including data analysis, testing, system maintenance, support)

a. Identity
b. Contact
c. Technical

Necessary for our legitimate interests (provision of administration and IT services, network security, to prevent fraud)

Provision of education and education support services

a. Identity
b. Contact
c. Social Educational records
d. Special category
e. case files

Necessary to comply with a legal obligation

Necessary for the performance of a task in the public interest

For special category: Necessary for carrying out the obligations and rights of the individual or the data controller in the social protection law field

Promoting the services we provide

a. Identity
b. Contact
c. Special category

Consent of the data subject

Necessary for the performance of a public task in the public interest

Marketing our local tourism and events

a. Identity
b. Contact
c. Special category

Consent of the data subject

Necessary for the performance of a public task in the public interest

Providing leisure and cultural services

a. Identity
b. Contact
c. Special category

Consent of the data subject

Necessary for the performance of a public task in the public interest

For special category: Explicit consent of the data subject to process their special category data

How long your personal data will be kept

We will only hold your personal information for as long as necessary. To work out how long we need to keep your information for we use our retention schedule. You will be informed in the service specific privacy notice of how long your data will need to be kept prior to secure disposal.

Who we share your personal information with

Your personal information may be shared with internal departments or with external partners and agencies involved in delivering services on our behalf. However, we will only share information with organisations who will also comply with appropriate data protection laws. You will be informed in the service specific privacy notice of who your data may be shared with, if at all. Sharing of information is crucial to the successful delivery of local services. The GDPR specifically recognises that “data protection” should not be an excuse to prevent proper sharing of personal data. The Kent and Medway Information Sharing Agreement (KMSA) provides a framework to enable a number of organisations and public bodies across Kent and Medway to share personal information. The Agreement reflects the requirements of the General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 (DPA 2018). KCC does not pass personal data to third parties for marketing, sales or any other commercial purposes without your prior explicit consent. Our website We collect certain information or data about you when you use We collect:
  • questions, queries or feedback you leave, including your name, postcode and email address
  • details of which version of web browser you used and other information about your device
  • information on how you use the site, using cookies and page tagging techniques
For more information on cookies and related technologies used on this site, and how to disable them read our cookie policy. The data we collect on this site can be viewed by authorised people in Kent County Council as well as our suppliers, to:
  • improve the site by monitoring how you use it
  • gather feedback to improve our services
  • respond to any feedback you send us, if you’ve asked us to
  • allow you to access council services and make transactions
  • provide you with information about local services if you want it.

Storing your website data

We store your data on secure servers in the EEA. Sending information over the internet is generally not completely secure, and we can’t guarantee the security of your data while it’s in transit. Any data you send is at your own risk. We have procedures and security features in place to keep your data secure once we receive it.

Links to other websites contains links to other websites. This privacy statement only applies to and doesn’t cover other services and transactions that we link to. These services will have their own terms and conditions and privacy policies. If you go to another website from this one, read the privacy policy on that website to find out what it does with your information. Emails  Sevenoaksmuseums central email address () is monitored and managed by the Museum. Only authorised members of staff have access to the emails. All emails are managed from with KCC’s secure ICT Network. The information you provide in any email you send us will depend on the reason for your enquiry and what you are trying to get done. You should read the privacy notice relating to the service that you are emailing us about.

Reliance on UK exemptions from GDPR

KCC may process information in reliance on the exemptions under the Data Protection Act where allowed (for example where the personal data is processed and a claim to legal professional privilege would apply; in relation to the provision of confidential references; or where personal data is processed for the purposes of management forecasting (to the extent that such activity would be prejudiced by advance notification).

Your rights

Under the GDPR you have rights which you can exercise free of charge that allow you to:
  • know what we are doing with your information and why we are doing it
  • ask to see what information we hold about you (known as a Subject Access Request)
  • ask us to correct any mistakes in the information we hold about you
  • object to direct marketing
  • make a complaint to the Information Commissioners Office
  • where we process information based on your consent, you have the right to withdraw your consent at any time.
Depending on our reason for using your information you may also be entitled to:
  • ask us to delete information we hold about you
  • have your information transferred electronically to yourself or to another organisation
  • object to decisions being made that significantly affect you
  • object to how we are using your information
  • stop us using your information in certain ways.
We will always seek to comply with your request, however, we may be required to hold or use your information to comply with legal duties. Please note, your request may delay or prevent us delivering a service to you. For further information about your rights, including the circumstances in which they apply, see the guidance from the UK Information Commissioner’s Office (ICO) under GDPR. If you would like to exercise a right, please contact the Information Resilience and Transparency Team at .

Keeping your personal information secure

We have appropriate security measures in place to prevent personal information from being accidentally lost or used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality. Emails that we send to you or you send to us may be retained as a record of contact and your email address stored for future use in accordance with our record retention schedule. If Sevenoaks Museum needs to email sensitive or confidential information to you, we will perform checks to verify the correct email address and may take additional security measures. If sending us such information we recommend using our secure online forms where provided, or the postal service. We also have procedures in place to deal with any suspected data security breach. We will notify you and any applicable regulator of a suspected data security breach where we are legally required to do so.


Please contact the Information Resilience and Transparency Team at  to exercise any of these rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for. You can contact our Data Protection Officer, Benjamin Watts, at  or by writing to Data Protection Officer, Sessions House, County Hall, Maidstone, Kent ME14 1XQ You also have the right to lodge a complaint with a supervisory authority. The supervisory authority in the UK is the Information Commissioner.
Skip to content