Artificial Intelligence (AI) Privacy Notice
Our core data protection obligations and commitments are set out in Bradford Council's primary privacy notice.
This notice provides additional privacy information in relation to Bradford Council’s utilisation of Artificial Intelligence (AI) technologies and should be read in conjunction with the relevant service specific privacy notices already available to view on Bradford Council’s website.
Artificial Intelligence technologies are being introduced and developed in order to ensure we continue to deliver our services effectively and efficiently. However, we recognise that implementing new and fast developing technology requires using a gradual introduction. This means that not all services will immediately start to use AI and where it is in place, the technology will continue to be monitored and reviewed.
Important information on our AI tools
Personal data may be contained within documents uploaded to our AI Tools. We are the data controller of your personal data when it is used, and the AI supplier is a data processor. We have agreements in place with each supplier to ensure that your personal data is protected. Users of our AI Tools are trained to process personal data in accordance with the UK GDPR.
None of your personal data is used solely by the AI technology provider to train or improve their AI products.
Personal information we collect and use
We collect different types of information from you depending on the service you need from us and the reasons why we need to process your personal information. This is set out in the service specific privacy notices already available and will not be changed directly by the introduction of AI technologies.
Why do we process personal data?
In most cases, we will process your personal data using AI technology to improve the efficiency, quality, and speed of our business processes. A lot of these processes are already happening manually. By using AI to automate these processes, this allows Council resources to be deployed where they are needed most.
How long your personal data will be kept?
We will hold your personal information in line with Bradford Council’s retention schedule. At its expiry date the information will be reviewed, and only retained where there is an on going requirement to retain for a statutory or legal purpose. Following this your personal information will be securely destroyed.
Reasons we can collect and use your personal information
The lawful basis for processing personal information using AI will vary depending on the nature and scope of the individual service you are accessing. These lawful bases are likely to include, but are not limited to the following UK General Data Protection Regulations (UK GDPR) provisions:
- Art 6(1)(b) Contracts: where the processing is linked to contracts with the data subject
- Art 6(1)(c) Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
- Art 6(1)(e) Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
- Art 6 (1) (f) Legitimate interests processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party. Subject to a balancing assessment taking into individuals fundamental rights.
We rely on one or more of the following conditions as per Article 9 (2) of the UK GDPR when processing special category information using AI:
- Art 9(2)(a) The data subject has given explicit consent to the processing,
- Art 9(2)(b) Employment: where the processing is linked to employment and social security (read with Schedule 1 paragraph 1 of the Data Protection Act 2018).
- Art 9(2)(f) Legal claim or judicial acts: processing is necessary for the establishment, exercise, or defence of legal claims or whenever courts are acting in their judicial capacity.
- Art 9(2)(g) Substantial Public Interest: Processing is necessary for reasons of substantial public interest, on the basis of domestic law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide suitable and specific measures to safeguard the fundamental rights and interests of the data subject.
- Art 9(2)(h) Social Care: processing is necessary for social care purposes, including the management of such services and systems (read with Schedule 1 paragraph 2 of the Data Protection Act 2018).
Who we share your personal information with
The Council may share your information internally (within the Council) in accordance with statutory obligations. In addition, the Council may share your information with third parties in accordance with statutory, legal and regulatory obligations.
Keeping your personal information secure
We have appropriate security measures in place to prevent personal information from being accidentally lost, used or accessed in an unauthorised way. We limit access to your personal information to those who have a genuine business need to know it. Those processing your information will do so only in an authorised manner and are subject to a duty of confidentiality.
We also have procedures in place to deal with any suspected data security incidents, and we will notify you and the appropriate regulator of any incident where we are legally required to do so.
When computers make any decisions about you?
We do not use AI to make automated decisions. There is always a human intervention to review and approve any outputs from the AI tools. Decisions are not made solely by automated means.
When your data is sent to other countries?
Wherever possible, through our supplier selection, contractual, and security assurance processes, the Council ensures that all data is stored and processed within UK data centres. The UK remains our first and preferred location for all data storage and processing activities, ensuring compliance with UK GDPR and alignment with national security expectations.
Any data we hold that relates to the NHS, central government, or similar regulated bodies is required to be and is stored exclusively within UK datacentres.
In exceptional cases where it is not possible to use a UK-based service, we may use providers operating within the European Union (EU) or European Economic Area (EEA), where data handling is governed by the EU GDPR, which closely aligns with UK data protection standards. No information we collect or process is ever transferred outside the UK, EU, or EEA.
Rights for individuals under UK GDPR
What are your rights?
Please contact the Corporate Information Governance Team at [email protected] to exercise any of your rights, or if you have a complaint about why your information has been collected, how it has been used or how long we have kept it for.
You can contact our Data Protection Officer at [email protected] or write to: Data Protection Officer, City Hall, Centenary Square, Bradford, BD1 1HY.
The UK GDPR also gives you the right to lodge a complaint with the Information Commissioner's Office who are the supervisory authority responsible to regulate and monitor the legislative obligations within the UK and can be contacted on 03031 231113.