How we use information legally and the Council's use of AI

We will use your personal data for a limited number of purposes and where we have a legal reason to do so in accordance with the Data Protection Act 2018 (DPA2018), UK GDPR.

There are a number of legal reasons why we need to collect and use your personal information:

  • You, or your legal representative, have given consent
  • You have entered into a contract with us
  • To perform our legal duties
  • It is necessary for a task in the public interest 
  • To protect someone in an emergency
  • For employment purposes
  • To deliver health or social care services
  • You have made your information publicly available
  • For legal cases
  • For the benefit of society as a whole
  • To protect public health
  • For records or research

The Data Use and Access Act 2025 has introduced Article 8A into the UK GDPR, which reforms how compatible further processing is assessed. 

Where we use your personal data for a purpose that is different from, but related to, the purpose for which it was originally collected, we will assess whether that further use is compatible with the original purpose by considering factors including: 

  • any link between the original and new purpose; 
  • the context in which the data was collected; 
  • the nature of the data, including whether it is special category data; 
  • the possible consequences for you; 
  • whether appropriate safeguards are in place. 

In addition, certain types of further processing are treated as compatible with the original purpose where they meet the conditions set out in Annex 2 of the UK GDPR (as amended). These include: 

  • processing that is necessary for the performance of a public task, 
  • for the safeguarding of vulnerable individuals, 
  • or for the prevention and detection of crime. 

Where the Council relies on Article 8A and Annex 2 to justify further processing of your data, we will document that assessment and ensure that appropriate safeguards are applied.

If we are relying on your consent to use your personal information, you may remove it at any time – just contact DPOTeam@coventry.gov.uk

We will only collect and use your personal information if we need it to deliver a service or because we have to by law, and we will collect only the details we need.

Where we are processing your special category data, we also need to meet one of the following conditions: 

  • it is necessary for employment, social security or social protection purposes
  • it is necessary to deliver health or social care services
  • it is necessary to protect someone in an emergency
  • you, or your legal representative, have given consent
  • you have made your own information publicly available
  • it is necessary for legal cases
  • it is necessary to protect public health
  • it is necessary for archiving, research, or statistical purposes

We will not sell your personal information to other organisations.

Use of Artificial Intelligence (AI) 

We use AI tools across a number of our services to help us process your data more efficiently and to improve service delivery.  Examples include transcription tools to produce minutes of meetings, AI-assisted data matching and analysis, and the AI components within our System Customer Record system.  

We will only use AI tools where there is a lawful basis to do us under the UK GDPR and Data Protection Act 2018, and only to the extent necessary to deliver the relevant service.  We will not use AI tools to process more of your personal data than is required for the specific purpose. 

Where we have produced minutes, records or other documents using AI tools, we will state this. All AI-generated content will be reviewed by a member of staff for accuracy before it is relied upon, and that member of staff will take responsibility for the final version of the document.

Whilst we use suppliers who provide AI tools, we ensure that all contracts with those suppliers include appropriate data protection safeguards in accordance with Article 28 of the UK GDPR. Personal data is not used to train open AI models, and the use and control of your personal data remains at all times with Coventry City Council. We carry out Data Protection Impact Assessments (DPIAs) before introducing new AI tools that process personal data.

We do not make solely automated decisions that have a significant or legal effect on individuals. Any decisions informed or assisted by AI will always involve meaningful human review and oversight before they are acted upon. Where AI is used to assist in a decision that affects you, you have the right to request human review of that decision, to express your point of view, and to contest the outcome. Please see 'Your Rights' below and contact DPOTeam@coventry.gov.uk if you wish to exercise these rights.

International Data Transfers 

We may process your information overseas using ICT systems and services that are based outside the UK, but only where we have a contract with suppliers for ICT services that meets our obligations under the UK GDPR and Data Protection Act 2018. 

Where AI tools involve the processing of personal data outside the United Kingdom, we will only permit this where appropriate safeguards are in place, such as the International Data Transfer Agreement (IDTA) or equivalent mechanisms under the UK GDPR. We will carry out a Transfer Risk Assessment where required before any such transfer takes place.

Cookies

Our website uses cookie technology to help log visitors to our website. The information is collected in order to make websites work, or to make them work more efficiently, and provide information for the administration of the website. You can reject the use of cookies. Further information is available here

Prevention and Detection of Fraud 

Coventry City Council is required by law to protect the public funds it administers. We may use any of the information you provide to us for the prevention and detection of fraud to comply with the law.  

In addition to our own 'data matching' exercises we may also share this information with other public bodies.  These include, but are not limited to:

  • Cabinet Office – including the national data matching exercises under Part 6 of the Local Audit and Accountability Act 2014
  • National Anti Fraud Network (NAFN)
  • Cifas
  • Department for Work and Pensions (DWP)
  • other Local Authorities
  • HM Revenue and Customs (HMRC)
  • Police
  • NHS

The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud, money-laundering and to verify your identity. They will also share your information with a range of information providers to obtain documentation or information that will allow us to verify the information you have provided us is accurate. If fraud is detected, you could be refused certain services, finance, or employment.

Further details of how your information will be used by us and these fraud prevention agencies, and your data protection rights can be found on the privacy notices of Cifas and National Anti Fraud Network (NAFN).

Where our AI tools, including the Single Customer Record, involve using your personal data for purposes that go beyond the original purpose for which it was collected, we will assess whether that further use constitutes compatible further processing under Article 8A of the UK GDPR as amended by the Data Use and Access Act 2025. In carrying out that assessment, we will consider the link between the original and new purposes, the context of the original collection, the nature of the data, and the safeguards in place. Where the further processing is necessary for the performance of a public task, for the safeguarding of vulnerable individuals, or for the prevention and detection of crime, it may be treated as compatible with the original purpose under Annex 2 of the UK GDPR. It may also constitute compatible further processing where it is necessary to safeguard the objectives listed in Article 23(1)(c) to (j) of the UK GDPR, which include matters such as public security, the protection of judicial independence, and other substantial public interests. We will always document our compatibility assessment, apply appropriate safeguards, and inform you of any material further use of your data where required to do so. You retain the right to object to further processing of your data; please contact DPOTeam@coventry.gov.uk to do so. 

We also participate in the National Fraud Initiative (NFI) data matching exercise to assist in the prevention and detection of fraud. More information about the NFI can be found here.

We may also share information with utility companies, credit reference agencies, service providers, or contractors and partner organisations where the sharing of information is necessary, proportionate, and lawful.

In limited situations we may monitor and record electronic transactions (website, email and telephone conversations).  This will only be used to prevent or detect a crime or investigate or detect the unauthorised use of the telecommunications system and only as permitted by the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000.

Emergency Response Management

Data matching may also be used to assist the council in responding to emergencies or major accidents, by allowing the council, in conjunction with the emergency services, to identify individuals who may need additional support in the event of e.g. an emergency evacuation.

Public Health Services

We are responsible for Public Health Services and we need to process personal information such as medical details to help this work. This information will be handled in the same way as all other personal information. Further details can be found in the Public Health Services Privacy Notice

Employee Data

We will handle personal information for people who work – or have worked – at the Council, councillors and other elected officials and volunteers for all employment purposes, such as pay and pensions. Further details can be found in the HR Privacy Notice