Skip to main content

Direct Payments Privacy Notice

This privacy notice explains how Cheshire West and Chester Council uses personal information when delivering the Direct Payments service.

Direct Payments are a way of meeting assessed care and support needs by providing funding so that individuals, or those acting on their behalf, can arrange their own care and support. This may include managing a Direct Payment account, using a prepaid card or account, and receiving support from a commissioned Direct Payment support provider.

As part of delivering this service, the Council processes personal information to assess eligibility, set up and manage Direct Payments, provide advice and support, and ensure that public funds are used appropriately. This includes monitoring and reviewing Direct Payment arrangements, auditing how funds are spent, and working with partner organisations to support care and safeguard individuals.

This notice sets out what information we collect, how we use it, who we share it with, how long we keep it, and how we protect your privacy.

What information we collect, use and why

We collect personal information to assess your needs, set up and manage your Direct Payment, provide advice and support, and ensure that public funds are used appropriately.

Personal Data

  • Name, address and contact details:
    To identify you, communicate with you, and provide updates about your Direct Payment and support arrangements.
  • Date of birth:
    To confirm your identity and determine eligibility for services.
  • National identifiers (e.g. National Insurance number, system reference numbers):
    To uniquely identify you, support financial administration, and ensure accurate record matching across systems.
  • Family, carer and representative details:
    To understand your support network and ensure appropriate individuals are involved in managing your Direct Payment where required.
  • Financial information:
    To assess any contribution you may need to make, set up payments, manage Direct Payment accounts, and support monitoring and audit of public funds.
  • Support plan and care arrangements:
    To understand your assessed needs, agreed outcomes, and how your Direct Payment will be used to meet those needs.
  • Case records and correspondence:
    To maintain a record of decisions, actions, and interactions, ensuring continuity of care, accountability, and safe management of your Direct Payment.

Special Category Data

We process special category data where it is necessary to assess and meet your care and support needs.

  • Health and disability information:
    To understand your needs and ensure appropriate care and support is arranged.
  • Mental capacity information:
    To determine whether you are able to make decisions about your care and whether a suitable person, deputy, or attorney is required to act on your behalf.
  • Social care information:
    To assess, plan, review, and coordinate your care and support arrangements.
  • Safeguarding and risk-related information:
    To protect you and others, manage risks, and ensure that care and support is delivered safely.
  • Advocacy and support needs:
    To ensure your views are represented and that appropriate support is in place where required.

Criminal Offence Data

In limited circumstances, we may process information relating to criminal offences where this is necessary to ensure that care and support is delivered safely and appropriately.

This may include information about:

  • Safeguarding concerns or risks to individuals or others
  • Restrictions or conditions that may impact care or support arrangements
  • Misuse of Direct Payments or concerns relating to fraud or financial abuse

We only process this information where it is relevant and necessary to support care planning, risk management, safeguarding, or the proper use of public funds. This information is handled securely and accessed only by authorised staff on a strict need-to-know basis.

Sources of information

We primarily collect personal information directly from you as part of assessing your needs and delivering the Direct Payments service. This may be through assessments, reviews, application forms, or ongoing communication with you and those acting on your behalf.

To ensure we have a complete and accurate understanding of your needs and circumstances, we may also obtain information from the following sources where it is relevant and necessary:

  • Health and social care professionals:
    Including GPs, hospitals, community health services, and social care teams, to support assessment, care planning, and coordination of services.
  • Other council departments:
    Such as adult or children’s social care, safeguarding, client finance, and related services, to ensure a joined-up approach to support and avoid duplication.
  • Direct Payment support provider:
    Information may be shared between the Council and our commissioned Direct Payment support provider to set up and manage your Direct Payment and provide ongoing advice and support.
  • Prepaid card or account providers and financial service providers:
    To support the administration of Direct Payments, including setting up and managing accounts, monitoring transactions, and ensuring payments are made appropriately.
  • Other local authorities:
    Where you move between areas or receive services across different boroughs, to ensure continuity of care and support.
  • Government agencies:
    Such as the Department for Work and Pensions, where necessary to confirm entitlements or meet legal obligations.
  • Family members, carers, and representatives:
    Where they are involved in your care or authorised to act on your behalf, to support decision-making and management of your Direct Payment.
  • Commissioned partners and support services:
    To support delivery of care, advice, and community-based support options.

We only collect information from these sources where it is necessary, relevant, and lawful to assess your needs, manage your Direct Payment, and ensure that care and support is delivered safely and effectively.

What your information is used for

We use your personal information to deliver and manage the Direct Payments service, ensure your care and support needs are met, and fulfil our legal responsibilities.

Your information is used to:

  • Assess and plan your care and support needs:
    To understand your circumstances, determine eligibility, and agree how your needs will be met through a Direct Payment.
  • Set up and manage your Direct Payment:
    To arrange funding, establish payment mechanisms (including prepaid accounts or cards where used), and support the ongoing administration of your Direct Payment.
  • Provide advice, information, and support:
    To help you, or those acting on your behalf, make informed decisions about arranging and managing care and support, including the use of commissioned Direct Payment support services.
  • Coordinate care and work with partner organisations:
    To share relevant information with health, social care, financial services, and support providers to ensure your care is delivered effectively and safely.
  • Monitor and review your Direct Payment arrangements:
    To check that your care and support continue to meet your needs, review outcomes, and make changes where required.
  • Audit and oversee the use of public funds:
    To review how Direct Payments are spent, including transactions, provider payments, and account activity, ensuring funds are used in line with agreed care and support plans.
  • Prevent and detect fraud, misuse, or financial abuse:
    To identify and investigate concerns relating to the use of Direct Payments and take appropriate action where necessary, including recovery of funds.
  • Safeguard individuals and manage risk:
    To protect you and others from harm and ensure that care and support arrangements are safe and appropriate.
  • Meet our legal and statutory duties:
    To comply with legislation, guidance, and regulatory requirements relating to adult and children’s social care, safeguarding, and the administration of public funds.
  • Monitor and improve our services:
    To analyse anonymised or aggregated information to understand service demand, improve delivery, and support planning and commissioning.

Who we share your information with

We share your personal information only where it is necessary, lawful, and relevant to deliver the Direct Payments service and support your care and support needs.

Your information may be shared with:

  • Direct Payment support provider
    To set up and support your Direct Payment, provide advice and guidance, and assist with managing care and support arrangements.
  • Prepaid card, account, and financial service providers
    To administer Direct Payments, including setting up and managing accounts, processing payments, monitoring transactions, and ensuring funds are used appropriately.
  • Care providers and support services
    Including personal assistants, care agencies, and community or voluntary organisations, to arrange and deliver your care and support.
  • Health and social care services
    Including NHS organisations, GPs, hospitals, and social care teams, to ensure your needs are understood and services are coordinated effectively.
  • Internal council services
    Including social care teams, client finance, safeguarding, commissioning, and audit teams, to assess needs, manage payments, monitor use of funds, and ensure safe and lawful service delivery.
  • Other local authorities
    Where you move between areas or receive services across different boroughs, to ensure continuity of support.
  • Government agencies
    Such as the Department for Work and Pensions, where required to meet legal obligations or confirm entitlements.
  • Advocacy services and representatives
    To support you in making decisions and ensure your views are represented where required.
  • Fraud prevention and audit bodies
    Where necessary to prevent, detect, and investigate fraud, misuse of public funds, or financial abuse.

We only share the minimum information necessary and ensure that all organisations handling your information are required to do so securely and in accordance with data protection legislation.

Data processors

We use data processors to support the delivery of the Direct Payments service and ensure that your information is managed securely and efficiently. Data processors act on our instructions and are contractually required to comply with data protection legislation.

These include:

  • Direct Payment support provider (BBPS):
    To provide advice, guidance, and administrative support in setting up and managing your Direct Payment.
  • Financial management and prepaid account providers:
    To administer Direct Payments, including setting up and managing prepaid cards or accounts, processing payments, and monitoring transactions.
  • Case management and financial systems:
    Including systems used to record social care case information, manage financial assessments, and process Direct Payments.
  • Council-approved IT and cloud service providers:
    To securely host and store personal information, including documents and internal records.
  • Secure communication and document handling platforms:
    To enable the secure sharing of information with individuals, representatives, and partner organisations involved in your care and support.

All data processors are required to handle your information securely, only process it on our instructions, and comply with UK GDPR and relevant security standards.

Data Controller

Cheshire West and Chester Council is the Data Controller for the personal information processed as part of the Direct Payments service. The Council is responsible for determining how and why your personal information is used and for ensuring it is processed lawfully, securely, and in accordance with data protection legislation.

In delivering this service, the Council works with commissioned providers and partner organisations who process personal information on our behalf. These organisations act as data processors unless otherwise stated and are required to follow our instructions and comply with data protection law.

Where other organisations process your information for their own purposes, they will act as independent data controllers and will provide you with their own privacy information where appropriate.

Lawful basis for processing

Cheshire West and Chester Council does not rely on consent as a lawful basis for processing personal or special category data for the Direct Payments service.

We process personal data under:

UK GDPR Article 6(1)(e) – Public Task:
Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This includes delivering statutory duties under adult and children’s social care legislation, including the provision and management of Direct Payments.

We process special category data under:

UK GDPR Article 9(2)(h) – Health or Social Care:
Processing is necessary for the provision of health or social care, including the assessment, planning, and delivery of care and support, and the management of Direct Payments.

Where additional conditions are required, we rely on:

UK GDPR Article 9(2)(g) – Substantial Public Interest, supported by relevant conditions in Schedule 1 of the Data Protection Act 2018, including:

  • Safeguarding of children and individuals at risk
  • Statutory and government purposes
  • Support for individuals with a particular disability or medical condition

Where we process information relating to criminal offences, we do so in accordance with Article 10 of UK GDPR and relevant conditions under Schedule 1 of the Data Protection Act 2018, where it is necessary for safeguarding, risk management, or the prevention and detection of unlawful acts, including misuse of public funds.

The primary legislation supporting this processing includes:

  • Care Act 2014
  • Care and Support (Direct Payments) Regulations 2014
  • Children Act 1989 and Children and Families Act 2014
  • Mental Capacity Act 2005
  • Health and Social Care Act 2012
  • Data Protection Act 2018 and UK GDPR

We share information with relevant organisations as part of delivering this service where it is necessary, lawful, and proportionate, and this processing does not require consent under data protection law.

International Data Transfers

Your personal information is primarily stored and processed within the United Kingdom.

In limited circumstances, your information may be transferred outside the UK where this is necessary to support the delivery of the Direct Payments service. This may include the use of secure IT systems or service providers that store or process data outside the UK.

Where this occurs, we ensure that appropriate safeguards are in place to protect your information and uphold your rights. These safeguards may include:

  • Transfers to countries that have been assessed as providing an adequate level of data protection
  • Use of legally approved agreements such as International Data Transfer Agreements (IDTAs) or Standard Contractual Clauses (SCCs)
  • Implementation of appropriate technical and organisational security measures

We only transfer personal information internationally where it is necessary, proportionate, and lawful, and we ensure that your information remains protected to UK data protection standards.

Retention Period

We will only keep your personal information for as long as necessary to deliver the Direct Payments service and meet our legal and regulatory obligations. Retention periods are set in line with the Council’s Corporate Retention Schedule.

In practice, this means:

  • Adult Direct Payments records (including assessments, care planning and financial arrangements): Retained for 7 years after you are no longer in receipt of services.
  • Children and young people’s Direct Payments records: Retained until the individual’s 25th birthday, in line with children’s social care record requirements.
  • Financial records relating to Direct Payments (including transactions, payments and account monitoring): Retained for 7 years to comply with financial and audit requirements.
  • Safeguarding or legal records (where applicable): May be retained for longer periods where required, depending on the nature of the case and applicable legal or statutory requirements.

Where information is required for an ongoing investigation, legal claim, audit, or statutory inquiry, it will be retained for as long as necessary and disposal will be delayed in line with legal requirements.

When records are no longer required, they will be securely destroyed in accordance with the Council’s Records Management Policy.

Where personal information is used for reporting or service improvement, it will be anonymised so that individuals cannot be identified.

Your Rights

The UK GDPR provides you with a several rights to control what personal information is used by us and how it is used by us.

Further guidance about these rights can be accessed from the Information Commissioner’s Office (ICO) website

If you are not happy about the way your personal data is being used, or you require further information about how we process your personal data, you can contact Council’s Data Protection Team:-

  • Online: Contact the DPO
  • By post: Data Protection Officer, The Portal, Wellington Road, Ellesmere Port, CH65 0BA

You also have the right to complain to the Information Commissioner’s Office using the following details: