Privacy notice
Your Electoral Registration Officer (ERO) is the Data Controller for the local Voter Authority Certificate scheme.
The purpose of this privacy notice is to tell you how we will process your personal data provided as part of the Voter Authority Certificate application.
We are only allowed to use, gather, and share personal information where we have an appropriate legal basis to do so. We only collect and process personal information to fulfil our legal and official functions. We will only use personal information when the law allows us to and where it is necessary and proportionate to do so.
What personal data we are collecting and why
We will collect the following personal data about you as these are needed to apply for a Voter Authority Certificate:
- your full name,
- date of birth,
- address,
- overseas, military or other address where relevant,
- your National Insurance number,
- any documents provided in support of your application,
- a photo of you, and
- if you have chosen to provide them, your email address and telephone number.
If you cannot provide us with your NI number or a photograph during your application, or we cannot verify your identity, we will ask you for further information – which may include health related or other sensitive information about yourself. If we need to do this, we’ll explain clearly to you what we require.
If you agree to our use of “cookies” (see below) on the website we use, we will also collect information about your website activity (e.g., number of visits, time spent on pages). We will use this to understand how effective the website is for example; do you need to keep leaving to get more information or is it taking a long time to complete the form.
How we use your personal data
You will now need an accepted identification (ID) document, with your photo on it, to vote in person at polling stations in English local elections and referendums, mayoral and Police and Crime Commissioner elections and UK Parliament by–elections from 4 May 2023 onwards. If you don’t have one that is on the list of accepted photo ID documents – like a driving licence or passport – you will be able to apply for a Voter Authority Certificate which will allow you to vote on the day.
We will use your data to process your Voter Authority Certificate application and issue a Voter Authority Certificate as appropriate. This will require us to share your data with certain partners and service providers, which we explain below.
The application process requires us to check that you are genuinely the person making the application for yourself, and not someone else. To verify your identity, we use your National Insurance number, and your details on the Electoral Roll, to check if these are correct with the organisations that hold them.
If you are not able to provide a suitable photograph of yourself when applying for a Voter Authority Certificate, we’ll need to ask for some additional personal data from you so that we can assess your application. We will explain this clearly to you if that is necessary.
With whom we will be sharing the data
Your Local ERO will share your personal data with external organisations detailed below which are providing the IT systems and support to allow the Voter Authority Certificate application service to operate effectively.
We will share your personal data with:
- The Department for Levelling Up, Housing and Communities (DLUHC) – which is providing the IT systems we use for making applications online for Voter Authority Certificates and is acting as our data processor.
We will also share your personal data with and collect details about you from:
- The Department of Work and Pensions (DWP) – they will check the National Insurance number you provide against their own records, as part of verifying your identity
Where we share your data with DLUHC or DWP, we will ensure that the processing of your personal data remains in strict accordance with the requirements of data protection laws, and we will update this privacy notice to reflect any change to those arrangements.
To enable your printed certificate to be produced, data relevant to the production of the certificate will be shared with the certificate provider.
How long we will keep your personal data
We will retain your data in accordance with our data retention policy, which requires data to be held for 28 days after the certificate is issued before being deleted. If an application is rejected, then data will be held for a year. Once the relevant time period has elapsed, data will be deleted except for name, date of issue and certificate number where a certificate has been issued.
We also hold back–ups of data for 14 days and data identifiers about your use of our website collected by cookies is kept for 26 months.
Your rights
Under the UK General Data Protection Regulation (UK GDPR) you have rights as to how your personal can be used. These are explained here:
- You have the right to request information about how your personal data are processed, and to request a copy of that personal data.
- You have the right to request that any inaccuracies in your personal data are rectified without delay.
- You have the right to request that any incomplete personal data are completed, including by means of a supplementary statement.
- You have the right to request that your personal data are erased if there is no longer a justification for them to be processed.
- You have the right in certain circumstances (for example, where accuracy is contested) to request that the processing of your personal data is restricted.
- You have the right to object to the processing of your personal data.
If you wish to exercise any of these rights – for example, request personal data that we hold about you – please contact us at the details provided below.
In relation to data collected by website cookies: You have the right to withdraw your consent by using the “cookie banner” that will appear when using our website for the first time.
Lawful basis for processing the data
We are using the following lawful basis under UK GDPR to process personal data:
- Article 6(1)(e) of the UK GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority
We may also process “special categories” of personal data which may include information about your health or other details about yourself. Where we do so our lawful basis is
- Article 9(2)(g) of the UK GDPR – processing is necessary for reasons of substantial public interest.
Is any personal data sent overseas?
We will not be sending your personal data outside of the UK.
Automated decision making and profiling
No decision will be made about you solely based on automated decision making (that’s where a decision is taken about you using an electronic system without human involvement), and which has a significant impact on you.
Storage, security, and data management
Your ERO and the other parties processing your personal data for this VAC purpose have a duty to safeguard and ensure the security of your personal data where they process this. They do that by having systems and policies in place to limit access to your information and prevent unauthorised disclosure, accidental loss, or alteration of your data. They have procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where they are legally required to do so.
Contact details and more information
The data controller for personal data used to apply for a Voter Authority Certificate is your Local ERO.
Contact your local Electoral Registration Office.
Complaints
If you consider that your personal data has been misused or mishandled, you may make a complaint to the Information Commissioner, who is an independent regulator. The Information Commissioner can be contacted at:
Wycliffe House
Water Lane
Wilmslow
SK9 5AF
casework@ico.org.uk
0303 123 1113
Any complaint to the Information Commissioner is without prejudice to your right to seek redress through the courts.