Our Privacy Policy

East Midlands Combined County Authority (EMCCA) – Corporate Privacy Notice

Version: 1.0 | Date: 17 March 2026

Quick Read (Layer 1 Summary)

EMCCA is the data controller operating across Derbyshire, Nottinghamshire, Derby, and Nottingham. Email: contact@eastmidlands-cca.gov.uk. DPO: dataprotection@eastmidlands-cca.gov.uk.

• What we collect: Contact details, correspondence, survey feedback, grant and program data, HR information, technical logs.
• Why we use it: To plan and deliver public services, run consultations, manage funding, ensure legal compliance, and maintain secure operations.
• Our legal bases: Public task, legal obligation, contract, consent for optional communication, legitimate interests (limited).
• Sharing: Only with trusted partners, processors, and regulators, and only when necessary.
• Keeping data: We retain it only as long as needed under an approved retention schedule.
• Your rights: Access, correction, erasure, restriction, objection, portability.
• Cookies: We use essential cookies; analytics only with consent.
• How to contact us: contact@eastmidlands-cca.gov.uk (email only during relocation).

1. Who we are and how to contact us

EMCCA is a statutory public body responsible for regional development, transport, skills, economic planning, and delivery of devolved programs. As a data controller, we determine how and why personal data is used. Contact EMCCA at contact@eastmidlands-cca.gov.uk. Our Data Protection Officer (DPO) oversees compliance and can be reached at dataprotection@eastmidlands-cca.gov.uk.

2. What data we collect

We collect names, addresses, emails, phone numbers, consultation responses, grant applications, contract information, HR data, technical logs (IP address, device type), special category data such as health or equalities information where lawful, and criminal offence data when required.

3. Why we use your data and our lawful bases

We use your information to fulfil statutory duties, deliver programs, respond to enquiries, plan services, consult residents, manage contracts, analyse regional needs and report to funders. Lawful bases: Public Task, Legal Obligation, Contract, Consent, and Legitimate Interests (limited). Special category and criminal data follow additional DPA 2018 conditions.

4. How we use your information (functions and purposes)

We use information to deliver transport improvements, support skills and employment programs, manage economic development, distribute grants, engage communities, consult residents, manage budgets, prevent fraud, and analyse equalities impacts. All use is reviewed for necessity and proportionality.

5. Where we obtain your information

Information comes directly from you (surveys, enquiries, applications, events), partner councils, government departments, commissioned providers, educational institutions, and publicly available sources. When obtained indirectly, we explain the source unless legally exempt.

6. Who we share your information with and why

Information may be shared with partner councils, government funders, auditors, IT and research suppliers, law enforcement where required, and regulators such as the ICO. Processors follow strict contracts and safeguards.

7. International transfers

We aim to store personal data in the UK. If overseas transfer is necessary (e.g., cloud hosting), we apply UK GDPR safeguards like adequacy regulations or International Data Transfer Agreements.

8. How long we keep your information

Retention examples: correspondence 3–6 years; contracts 6–12 years; program data per funder rules (often 7–10 years); HR data per statutory limits. After retention ends, data is deleted or anonymised.

9. How we keep your information safe (security)

We use encryption, access controls, monitoring, secure disposal, incident procedures, and mandatory staff training to protect information.

10. Children’s information

Our services are aimed at adults. When engaging young people, we use age‑appropriate explanations and enhanced safeguards. We do not knowingly collect information from under‑13s without protections.

11. Cookies and tracking technologies

Essential cookies enable site functionality. Analytics cookies require consent. You can change cookie settings at any time. See our Cookies Notice.

12. Your data protection rights

Your rights include access, correction, deletion (in some cases), restriction, objection, portability, and rights relating to automated decisions. Email contact@eastmidlands-cca.gov.uk to exercise rights.

13. Health and care information and the Caldicott Principles (fully expanded)

When EMCCA works with partners on projects involving confidential, health‑related, or care‑related information, we apply the Caldicott Principles. These national guidelines protect confidentiality and ensure information is used safely and responsibly. They require us to justify the purpose, use information only when needed, use the minimum necessary, provide access on a need‑to‑know basis, ensure everyone understands responsibilities, comply with the law, balance sharing and protecting, and inform people how their information is used.

14. Law enforcement data and competent authority processing

If EMCCA processes personal data for law enforcement under Part 3 of the Data Protection Act 2018—for example, assisting investigations or preventing fraud—we follow the specific rules for competent authorities, including enhanced safeguards, logging, and maintaining an Appropriate Policy Document (APD).

15. Changes to this notice

We regularly review and update this notice. Major updates will be published on our website.