How we use your information

This privacy notice tells you what to expect when Tonbridge and Malling Borough Council (TMBC) collects personal information, and what rights you have in relation to the information we hold about you.


  • visitors to our website
  • people who contact us through other means
  • residents and other people who use our services
  • use of personal data in connection with enforcement activities
  • complainants in relation to the provision of council services or conduct of councillors
  • your rights
  • how to contact us

This notice is to be read alongside a number of service specific privacy notices, which explain how the council will handle personal information in the delivery of individual services.

Visitors to our website (

To assist in ongoing site development, the council uses monitoring software for the purposes of recording the number of visitors to the site and the most frequently visited pages. We do not use the software to identify these visitors nor keep records of their personal email addresses.

Where there is a need to collect personal information through our website (for example in order to provide a service to you), we will be open about this. We will also explain what we intend to do with any personal information collected from you.

Use of cookies by TMBC

We use cookies on our website. A cookie is a small piece of code stored on your computer, phone or whatever you use to browse the web, that is used to store information about you on your computer.

We use two different types of cookie

  • session Cookies - these are temporary cookie files, which are removed when you close your browser and will not 'recognise' you when you log back in
  • persistent cookies - these cookies allow you to be recognised when you log back in

The cookies we use are:

Cookie name: nmstat
Type: Persistent
Expires: 1000 days after last visit
Information: This cookie helps to record your use of the website. This information is then used to improve your subsequent experience on the website. The cookie contains no personal information and is used only for web analytics.

Cookie name: ASP.NET_Sessionid
Type: Session
Expires: Browser session
Information: This cookie is used purely to track the sequence of pages a visitor looks at during a visit to the site, reducing your journeys, and enabling you to find relevant information quicker.

Cookie name: _utma, _utmb, _utmc, _utmz
Type: Persistent
Expires: 1000 days after last visit
Information: These cookies are used to collect information about how you use our site. The cookies collect information in an anonymous form, including the number of visitors to the site, where visitors have come to the site from and the pages they visited. To opt out of being tracked by Google Analytics across all websites see Google Analytics opt-out.

To delete cookies or reject cookies

We recommend you allow the cookies set by this website as they help us to improve and provide a better service for you. If you do not want to receive cookies from this website, select cookie settings under the privacy settings in your browser options, and add our domain ( to the list of websites you do not want accept cookies from.

Under settings you can also delete individual cookies or any cookies that your browser has stored. You can find more information on how to delete and control cookies at About cookies.

If you set your browser to refuse cookies, please be aware that the site may not work properly.

EU Cookie directive

The law relating to cookies has changed. The Information Commissioner's Office has issued guidance on the changes and TMBC is in the process of updating its cookie policy to reflect the changes.

Search engine

Our website search is powered by Jadu. Search queries and results are logged anonymously to help us improve our website and search functionality and in order to identify the most frequently visited pages. No user-specific data is collected by either TMBC or any third party.

Security and performance

TMBC uses a third party service to help maintain the security and performance of TMBC website. To deliver this service it processes the IP addresses of visitors to TMBC website.

Links to other websites

This privacy notice does not cover the links within our website linking to other websites. We encourage you to read the privacy statements on the other websites you visit.

People who contact us through other means

People who contact us via social media

We use a third party provider, Social SignIn to manage our social media interactions (Twitter, Facebook and Instagram).

If you send us a private or direct message via social media the message will be stored by Social SignIn for the duration of our contract with them. It will not be shared with any other organisations.

People who telephone TMBC

When you call TMBC we collect Calling Line Identification (CLI) information. We use this information to help improve its efficiency and effectiveness.

People who email or write to us

We use Transport Layer Security (TLS) to encrypt and protect email traffic in line with guidance from the National Cyber Security Centre. If your email service does not support TLS, you should be aware that any emails we send or receive may not be protected in transit.

We will also monitor any emails sent to us, including file attachments, for viruses or malicious software. Please be aware that you have a responsibility to ensure that any email you send is within the bounds of the law.

We will keep emails and letters in line with our data retention policy. This means that all emails and letters will be retained for a defined period from closure of the matter to which they relate. The retention period will vary according to the type of matter in connection with which the data is held.

People who use our web-chat service 

We use a third party system, Live Helper Chat, to supply our web-chat service, which we use to handle customer enquiries in real time.

If you use the web-chat service we will collect your name, email address (optional) and the contents of your web-chat session. This information will be retained for two years and will not be shared with any other organisations.

You can request a transcript of your web-chat session if you provide your email address at the start of your session or when prompted at the end.

Residents and other people who use TMBC services

TMBC offers various services to the public, including residents and businesses. 

We have to hold personal details of the people who have requested the service in order to provide it. These details vary depending upon the service being requested but in almost all cases will include names and addresses. In some cases we may also need to ask for additional personal information, such as health information to assess benefit entitlements. We will only ask for information which we need to provide the service being requested, and we only use these details to provide the service the person has requested and for other closely related purposes. In certain circumstances, explained below, we may share aspects of the personal information you have provided with other departments within the council or with external bodies.

Please note that if you do not provide the information requested, the council may not be able to provide the service requested.

When we hold personal information for the purposes of providing a service, or carrying out a public function we will keep it for a limited duration after the service has been provided or the function exercised, in accordance with the council’s Data Retention Policy.

How we look after data

The council may hold personal information electronically (for example in email, electronic documents or databases) and also in hard copy files. Access to the council’s systems is restricted in several ways, including password access for staff, and user restrictions within systems and databases, which are limited only to those officers who need access in order to carry out their roles within the council. The council also has data protection policies in place which officers and councillors are required to adhere to.

Hard copy files are held within areas of the building which are only accessible by officers, and wherever possible in lockable filing cabinets or other secure storage.

All staff are provided with regular, mandatory, training on data protection issues and each directorate of the council has a “data champion” who works within their section to promote best practice in data protection.

Information sharing – within TMBC

Where one department in the council holds personal information, we do not generally need to ask for consent to share it with other departments within the council for the purposes of those departments exercising their statutory functions. However, we will only share such information as is necessary for the performance of that other function and in accordance with the lawful purposes of processing set out in legislation.

In many circumstances we will not disclose personal data without consent. However when we investigate a complaint, for example, we will need to share personal information between the council departments concerned and with other relevant bodies, such as the Local Government and Social Care Ombudsman.

Information sharing – outside of TMBC

There are circumstances where we may need to share personal information with external organisations, such as the police, a local registered housing provider or Kent County Council. Where we share information with an external body, we will only do so where this meets the lawful reasons for processing personal information, or with express consent.

TMBC is a signatory to the Kent and Medway Information Sharing Agreement, which governs the disclosure, exchange and pooling of personal information by local public services within Kent and Medway in order to maximise service delivery. This agreement provides the framework by which signatory organisations provide assurance to each other that they will deal with personal data which they share securely, fairly and in accordance with all relevant legislative requirements.

Use of personal data in connection with enforcement action - publication of sentencing outcomes

Deterrence is an important part of the council’s regulatory and enforcement activities. To that end, the council will consider publishing details of successful prosecutions, including the offender’s name and location, in all cases. Publication may be on our website, or in some cases we may report offences to the press. It is important in maintaining transparency that the general public are kept informed of action which the council takes.

When deciding whether to publish details of a prosecution, the council will take into account the social need in making the information public. This will include factors such as:

  • the significance of the offence committed
  • the effect of the offence in the local community
  • the frequency of such offences
  • whether the offence itself has attracted publicity

Where applicable, the council will have to balance the public interest in publication with the data rights of the offender.

People who make a complaint to us

When we receive a complaint from a person we make up a file containing the details of the complaint. This normally contains the identity of the complainant and any other individuals involved in the complaint.

We will only use the personal information we collect to process the complaint and to check on the level of service we provide. We do compile and publish statistics showing information such as the number of complaints we receive, but not in a form which identifies anyone.

If the complaint is about another individual, for example where it relates to noise from a neighbouring property, we may have to disclose the complainant’s identity to whoever the complaint is about. This is inevitable where, for example, the accuracy of a person’s record is in dispute. If a complainant doesn’t want information identifying him or her to be disclosed, we will try to respect that. However, it may not be possible to handle a complaint on an anonymous basis.

We will keep personal information contained in complaint files in line with our data retention policy. This means that information relating to a complaint will be retained for a defined period from closure. The retention period will vary according to the type of matter in connection with which the data is held.

Similarly, where enquiries are submitted to us we will only use the information supplied to us to deal with the enquiry and any subsequent issues and to check on the level of service we provide.

Councillors’ responsibilities

Councillors are regarded as Data Controllers in their own right if they process personal data either manually or by computer, whether on their own equipment or on equipment provided to them by the council.

There are three ways in which councillors might use personal data:

  • when considering issues and making decisions as part of the council’s business – for example in committees or working groups. This is covered by the council’s notification
  • as a member of a political party canvassing for votes or working for a party. This is usually covered by the party’s notification. Councillors who are not a member of a political group must make their own arrangements to notify the ICO in order to process personal data in this way
  • carrying out casework. In this case the councillor is the data controller and is required to notify the Information Commissioner’s Office (ICO). It is the practice of the councils to notify the ICO on their behalf of all purposes for which the councillors hold and process personal data. Each councillor is therefore individually registered with the ICO as a Data Controller. See the searchable data controllers register

Where holding and processing personal data about individuals in the course of undertaking council business, a councillor will be covered by the council’s notification to the ICO, and have the same responsibilities in respect of data protection as an employee of the authority.

Complaints about councillors

When we receive a complaint about the conduct of a councillor, this will be handled in accordance with the council’s adopted arrangements for Code of Conduct complaints under the Localism Act 2011. 

The Arrangements contain specific provisions about the collection of personal data in connection with the complaint, the disclosure of the identity of the complainant to the councillor(s) against whom the complaint is made and the publication of the outcome of the complaint.

Freedom of Information (FOI) and Environmental Information Regulations (EIR)

Information held by the council is subject to the requirements of FOI and EIR. These provide public access to information held by public authorities, including TMBC. When someone makes a request for information under FOI or EIR that may include the potential disclosure of includes someone else’s personal data, TMBC will need to carefully balance the case for transparency and openness under FOI or EIR against the individual’s right to privacy under data protection legislation in deciding whether it can release the information without breaching the data protection principles.

Your rights

Subject access request

Under the Data Protection Act 1998, you are entitled to information about you that the council holds, subject to certain exemptions. You may request such information by making a ‘subject access request’ to the council.

You can make a subject access by emailing

If we hold incorrect information about you, you can ask us to correct any mistakes by contacting the FOI team at

Your right to withdraw consent

Where you have previously given consent for the council to use your personal information for certain purposes you have a right to withdraw your consent to the processing of that information.

You can make a request by emailing

Your right to request erasure of personal information held about you (also known as ‘right to be forgotten’)

In certain circumstances, you are entitled to request the deletion or removal of personal information about you. This is not an absolute right, but does allow you to request the deletion of your personal information in specific circumstances:

  • where the personal data is no longer necessary in relation to the purpose for which it was originally collected or processed
  • when you withdraw consent
  • when you object to the processing and there is no overriding legitimate interest for continuing the processing
  • the personal data was unlawfully processed (ie otherwise in breach of the GDPR)
  • the personal data has to be erased in order to comply with a legal obligation
  • the personal data is processed in relation to the offer of information society services to a child

TMBC may refuse to comply with a request for erasure where the personal data is processed for the following reasons:

  • to exercise the right of freedom of expression and information
  • to comply with a legal obligation for the performance of a public interest task or exercise of official authority
  • for public health purposes in the public interest
  • archiving purposes in the public interest, scientific research historical research or statistical purposes
  • the exercise or defence of legal claims

You can make a request by emailing

Right to data portability

In certain circumstances, you are entitled to:

  • receive a copy of any personal data that you have provided to TMBC in a commonly used and machine-readable format and store it for further personal use on a private device
  • have your personal data transmitted directly from TMBC to another data controller where technically possible

Your right to make a complaint

TMBC tries to meet the highest standards when collecting and using personal information. For this reason, we take any complaints we receive about this very seriously. We encourage people to bring it to our attention if they think that our collection or use of information is unfair, misleading or inappropriate. We would also welcome any suggestions for improving our procedures.

If you have a concern about the way we are collecting or using your personal data, we request that you raise your concern with us in the first instance. Alternatively, you can contact the Information Commissioner’s Office at Raising a concern.

Security breach management

We take our obligations in relation to personal data very seriously. All allegations or instances of personal data breaches will be investigated without delay, and reported to the Information Governance Officer Working Group for further consideration or determination as to whether notification to the ICO is required.

TMBC will record a summary of the incident, its effects and the responsive action taken.

If you believe there has been a breach of personal data, please contact us at

How to contact us

If you want to request information about our privacy policy you can email us or write to:

Tonbridge and Malling Borough Council
Gibson Building
Gibson Drive
West Malling
ME19 4LZ

Data Protection Compliance Structure

TMBC is registered with the ICO as a Data Controller (Registration number Z5576542). A separate registration is held by the council for the purposes of cctv and crime prevention, under the title of ‘Tonbridge and Malling Safer Towns’ (Registration number Z2224145).

TMBC’s appointed Data Protection Officer (DPO) is Adrian Stanfield, Director of Central Services and Deputy Chief Executive.

The DPO chairs the council’s Information Governance Officer Working Group, and is a member of the council’s corporate management team. Each directorate has appointed representatives on the Information Governance Officer Working Group.

Changes to this privacy notice

We keep our privacy notice under regular review. This privacy notice was last updated in January 2023.