Public health privacy notice
Who is the Data Controller for this processing?
We are the Data Controller for this processing.
The personal information we have collected from you will be shared with fraud prevention agencies who will use it to prevent fraud and money-laundering and to verify your identity. If fraud is detected, you could be refused certain services, finance, or employment.
Why do you need my personal information?
All local authorities have a duty to improve the health of the population they serve. To help with this, we use data and information from a range of sources, for example that collected at birth and death registrations. This helps us to better understand the health and care needs in the area.
Our Public Health team uses personal identifiable information (this means data which relate to a living individual, who can be identified from the data or from that data and other information held by the data controller i.e. it can be linked to become identifiable) about residents and users of health care, to enable it to carry out specific functions for which it is responsible, such as:
- control of infection
- management of risks to public health
- organising the National Child Measurement Programme
- organising the NHS Health Check Programme
- organising and supporting the 0-5 health service and school nursing services
The Public Health team also uses the information to derive data and information for research and planning purposes, which includes producing assessments of the health and care needs of the population, in particular to support the statutory responsibilities of the:
- Joint Strategic Needs Assessment (JSNA)
- Director of Public Health Annual Report
- health and wellbeing strategy
- identifying priorities for action
- informing decisions on (for example) the design and commissioning of services
- assessing the performance of the local health and care system and to evaluate and develop them
- reporting summary statistics to national organisations
- undertaking equity analysis of trends, particularly for vulnerable groups
- supporting clinical audits
In these cases, the information is used in such a way that individuals cannot be identified from the data and personal identifiable details are removed as soon as is possible in the processing of intelligence. This information includes:
- contact details
- NHS number
- geographic codes such as postcodes for the analysis of health inequalities
- date of birth
- information from birth and death certifications (personal identifiable information from NHS Digital used for public health purposes)
- information about healthcare obtained from NHS Digital
- information about the provision of Public Health services including:
- control of infection
- drug and alcohol treatment services
- sexual health services
- 0-19 health services
- National Child Measurement Programme
- lifestyle and behaviour change services
- cancer screening
- other screening programmes
- other public health initiatives
- information about lifestyle behaviours, including data collected from surveys
- information about disease prevalence including cancer registrations
- information about other health statuses such as blood pressure
- information about health and social care use, including:
- GP services
- hospital services
- NHS community services
- mental health services
- social care services
We get most of this information from you, but we may also get some of this data from:
- central Government agencies
- other local authorities
- health and social care provider
- police and probation services
- commissioned partners
Who else might we share your personal information with?
Sometimes we may need to share your information, but we will only do so where it is necessary or required by law. We will only share the minimum information for each circumstance.
We may sometimes need to share some of your information with:
- health service providers including NHS agencies (GPs, hospitals, ambulance, health visitor, mental health services)
- other local authorities
- care providers
- Government agencies (e.g. Department of Health, Department of Work and Pensions)
What is the legal basis for our use of your personal information?
Most of the personal information we process is provided to us directly by you, under the General Data Protection Regulation (GDPR), the lawful bases we rely on for using your personal information are:
- we have a legal obligation (GDPR Article 6 (c)
- we need it to perform a public task (GDPR Article 6 (e)
When we collect data about your race, health (including biometric or genetic data), sex life, sexual orientation, ethnic origin, we also rely on the following lawful basis:
- we need to collect it for Substantial Public Interest in order to comply with UK legislation (GDPR Article 9 (2) (g)
- we are providing you with health and social care support (GDPR Article 9 (2) (h))
- we need to collect it for public health (GDPR Article 9 (2) (i)
- we need to analyse your information (GDPR Article 9 (2) (j))
The legislation we rely on when using your personal information to meet our legal obligations or public tasks includes but is not limited to:
- Statistics and Registration Service Act (2007), section 42 (4)
- Health and Social Care Act (2012), section 287
- Health Service (Control of Patient Information) Regulations 2002, regulation 3
- Equality Act
Where will we store your information?
Your information will be securely stored on our network.
How long will we keep your personal information?
We will only use your personal information whilst delivering the service to you and to deal with any questions or complaints that we may receive about this, unless the law requires us to keep it for a longer period. We will keep your information in line with our retention schedule for public health data.
If we need to use your information for research or reports, your information will be anonymised and any information taken from notes (hand written or typed) during any consultation sessions will be securely destroyed. The information will continue to be used in a summarised and anonymised form in any research reports or papers that are published. The anonymised information in the papers may be of historic interest and may be held in public archives indefinitely.
Under data protection law, you have rights including:
- your right of access - you have the right to ask us for copies of your personal information
- your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
- your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances
- your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances
- your right to data portability - you have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances
You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
To make a request follow the instructions on our Data protection for you page.
How to complain if you are unhappy about how your data is used?
You can complain directly to our Data Protection team online or by post:
- Online: Contact the DPO
- By post: Data Protection Officer, The Portal, Wellington Road, Ellesmere Port, CH65 0BA
You also have the right to complain to the Information Commissioner’s Office using the following details:
- Information Commissioner's Office (ICO) website
- By post: The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Telephone: 0303 123 1113
Will my personal information be accessible outside the UK?
Should the transfer of personal information outside of the UK become necessary, it will only take place if permitted by law, and then only where there are appropriate safeguards in place to protect the personal information.
Your information is stored within the UK.