Public health privacy notice

This privacy notice explains how we use personal information to deliver Public Health functions. We have a legal duty to improve and protect the health and wellbeing of the local population. To fulfil these responsibilities, our Public Health team uses data from a wide range of health, care, and demographic sources to understand local health needs, prevent and manage risks to public health, commission and evaluate services, and respond to health protection concerns. This notice sets out what information we collect, how we use it, where it comes from, who we may share it with, and how we keep it safe.

Our Public Health team carries out activities such as:

preventing and controlling the spread of infectious diseases
monitoring and responding to risks that may affect the public’s health
supporting the delivery of screening and immunisation programmes
running the National Child Measurement Programme
delivering the NHS Health Check Programme
overseeing 0–5 children’s health services and school‑aged nursing services
producing statutory assessments such as the Joint Strategic Needs Assessment and the Director of Public Health Annual Report
analysing information to plan, commission, evaluate, and improve local health and care services
producing population‑level intelligence, where personal identifiers are removed as soon as possible in the process

To carry out these functions, the Public Health team may use personal information that identifies individuals, such as information from birth and death registrations or health protection notifications. Where possible, information is anonymised or pseudonymised so that individuals cannot be identified. Personal identifiable information is only used when it is essential for delivering statutory public health duties, and NHS Digital has been replaced with NHS England in all references following national organisational changes.

What information we collect, use, and why

To deliver our Public Health responsibilities, we collect and use a range of information about residents and service users. This enables us to understand local health needs, prevent and manage risks to public health, commission and evaluate services, and fulfil our statutory duties. We only collect personal information when it is necessary to do so, and wherever possible we use anonymised or pseudonymised data.

We collect the following types of information:

Personal Data

Name, date of birth, address and contact details:
Used to identify individuals where required, understand health patterns across different communities, and match information accurately to ensure we carry out statutory public health functions correctly.
Demographic details such as gender and ethnicity:
Used to understand health inequalities, monitor trends, and ensure services are accessible and equitable.
Information from birth and death registrations:
Used to understand causes of ill‑health, mortality trends, life expectancy, and population‑level changes. This supports statutory surveillance and public health intelligence work.
Information about health, lifestyle, and service use:
This may include information from the NHS Health Check Programme, screening outcomes, immunisation status, and school‑aged health assessments. This helps us plan, monitor, and improve public health programmes.
Information relating to risks to public health:
Such as infectious disease notifications, environmental health concerns, or information that helps identify, prevent, and manage potential outbreaks or threats.
Information from health and care services:
This may include appointment information, assessments, service outcomes, or other details needed to improve service quality and monitor effectiveness.

Special Category Data

We only process special category information when it is necessary for statutory public health duties.

Health information:
Including medical conditions, screening results, immunisation records, child health measurement data, and details relevant to infection control, health protection notifications, and the assessment of risks.
Information supplied by NHS England and other health partners:
Used to identify eligible residents for health checks, screening and immunisation programmes, targeted interventions, and risk‑based follow‑up.
Information relating to pregnancy, childbirth, or children’s health:
Used to support, commission, and evaluate 0–5 health services, school nursing, and wider population child health management.
Ethnicity, religion, or other protected characteristics:
Used to understand and address health inequalities, meet statutory equality duties, and ensure services are accessible to all groups.

Criminal Data

Public Health does not routinely collect criminal‑offence information. However, we may receive or use information relating to criminal activity only where it is necessary and proportionate to fulfil our statutory responsibilities. This may include:

safeguarding concerns involving adults or children
serious risks to public health
multi‑agency investigations relating to infectious disease control or health protection
circumstances where criminal behaviour may have implications for community health or public safety

This information is processed with the highest level of confidentiality and only where required to protect individuals or the wider public.

Sources of Information

We collect most of the information we use directly from you, for example when you complete forms, access services, speak to a member of staff, or participate in a health programme. To carry out our statutory Public Health responsibilities effectively, we also receive information from a range of other sources. We only obtain information that is relevant, necessary, and lawful for us to use.

We may receive information from the following sources:

Health and Social Care Services

GPs, NHS England, hospitals, community health services, mental health services, maternity services, and other NHS providers
Screening and immunisation services
Health visiting teams and school nursing services
Substance misuse, sexual health, and lifestyle services
Adult and Children’s Social Care teams

This information helps us deliver health protection functions, monitor service quality, identify risks, and ensure services meet the needs of local residents.

National and Local Public Health Bodies

NHS England
UK Health Security Agency (UKHSA)
Office for Health Improvement and Disparities
National statistical bodies

We use this information to understand population health needs, monitor trends, identify inequalities, and support national and local health protection duties.

Civil Registration and Local Authority Services

Birth and death registrations
Registrars and coroner‑related information
Local authority departments such as Environmental Health, Early Help, Children’s Services, Adult Social Care, Community Safety, and Education services

This information supports surveillance, helps us understand demographic needs, and enables coordinated responses to health risks.

Schools, Early Years Providers, and Educational Settings

Information from schools, colleges, nurseries, and early years services
Child health measurement information and school‑aged health data

This supports child health surveillance, public health commissioning, and programmes such as the National Child Measurement Programme.

Laboratories, Diagnostic Services, and Health Protection Reporting Systems

Notification of infectious diseases
Laboratory test results
Environmental or incident‑related health protection reports

This information is used to prevent and manage outbreaks, assess risks, and protect the wider public from harm.

Other Public Bodies and Partner Agencies

Police, probation services, and multi‑agency safeguarding partners
Voluntary and community sector organisations involved in delivering or supporting public health services
Regional or national support services involved in specific public health initiatives

We only receive information from these organisations where it is necessary for safeguarding, managing public health risks, or fulfilling statutory duties.

Research, Surveys, and Service Providers

Public health surveys, audits, service evaluations, and feedback programmes
Commissioned services that provide lifestyle, preventative, or targeted health support
Contractors delivering public health services on our behalf

These sources help us understand local needs, evaluate services, and improve outcomes for residents.

Publicly Available Information

National statistics, population‑level datasets, and published health reports
Information that individuals choose to make publicly available

This is used for analysis, reporting, and understanding wider trends without identifying

What your personal information is used for

We use your personal information to help the Council carry out its legal responsibilities to improve and protect public health. Public Health teams use information only where it is necessary, relevant, and proportionate to do so. Wherever possible, information is anonymised or pseudonymised so individuals cannot be identified.

Your information is used for the following purposes:

Understanding the health needs of the local population

To analyse patterns of health, disease, disability, and mortality.
To identify groups or communities at higher risk of poor health outcomes.
To understand inequalities in health and access to services.
To support strategic planning, including the Joint Strategic Needs Assessment and the Director of Public Health Annual Report.

Preventing, managing, and responding to risks to public health

To identify, investigate, and manage infectious disease risks.
To protect individuals and communities from outbreaks and other potential harms.
To work with partners to assess risks, monitor trends, and coordinate responses.
To support environmental or health protection activity where the public may be at risk.

Delivering national and local public health programmes

To support the organisation and oversight of screening and immunisation programmes.
To deliver and evaluate the NHS Health Check Programme.
To deliver and monitor the National Child Measurement Programme.
To oversee 0–5 health services, health visiting, and school‑aged nursing services.
To ensure that eligible residents are offered appropriate public health interventions.

Commissioning, monitoring, and improving public health services

To plan, commission, and review services such as lifestyle programmes, sexual health services, substance misuse support, and other commissioned activities.
To assess whether services are effective, of good quality, and meeting local needs.
To evaluate outcomes so that services can be improved or redesigned where needed.

Producing statistics, reports, and public health intelligence

To create anonymised statistics and public health insights used for planning, decision‑making, and reporting.
To support performance monitoring and inform the work of the health and care system.
To identify trends and support actions to improve population health and wellbeing.

Personal identifiable information is removed as soon as possible, and anonymised information is used wherever it is practical to do so.

Safeguarding and protecting vulnerable individuals

To identify concerns where people may be at risk.
To work with safeguarding partners where necessary to protect children, adults, or communities.
To contribute to multi‑agency arrangements aimed at ensuring safety and wellbeing.

Supporting multi‑agency responses where criminal activity affects public health

To help manage serious risks to public health where information about criminal activity is relevant.
To contribute to multi‑agency investigations in exceptional circumstances, such as deliberate or reckless behaviour that could cause harm to others.
To support safeguarding activity linked to exploitation, abuse, or similar risks.

Public Health only uses criminal‑offence information where it is strictly necessary and proportionate.

Responding to residents’ enquiries and statutory reporting

To answer requests for information or support.
To fulfil statutory obligations imposed by national government or public health legislation.
To provide required statistical information to national organisations in anonymised form.

Who do we share your information with?

We only share personal information when it is necessary, lawful, and proportionate to do so. Information is shared to protect public health, deliver statutory duties, commission and evaluate services, and ensure the safety and wellbeing of the population. All organisations receiving information from Public Health must handle it securely and in accordance with data protection legislation.

We may share your information with the following types of organisations:

Health and Care Organisations

NHS England
GPs, hospitals, community health services, and mental health services
Screening and immunisation services
Health visiting and school nursing teams
Adult and Children’s Social Care

Information is shared to support health protection, monitor health outcomes, deliver public health programmes, and ensure services meet the needs of local residents.

Public Health Bodies

UK Health Security Agency
Office for Health Improvement and Disparities
National statistical and analytical bodies

These organisations receive information to help monitor trends, plan national and local interventions, understand health risks, and respond to public health concerns. Identifiable information is used only where strictly required by law.

Other Local Authority Services

Environmental Health
Early Years, Education, and Schools
Community Safety and Emergency Planning
Safeguarding teams
Registrars and Coroner‑related services

Shared information supports health protection duties, outbreak management, safeguarding activity, coordinated service planning, and statutory reporting.

Laboratories and Diagnostic Services

Public health laboratories
Diagnostic testing services
Providers responsible for notifying infectious diseases or reporting health protection incidents

Information is shared to support the investigation, prevention, and management of outbreaks or other health risks.

Commissioned Public Health Service Providers

Sexual health services
Substance misuse services
Lifestyle and prevention services
Other contracted providers delivering public health programmes

These providers may receive relevant information to deliver services on our behalf, carry out interventions, and report on outcomes. Contracts require them to keep your information secure and confidential.

Education and Early Years Settings

Schools, academies, early years providers, and colleges
Child health services involved in population measurement programmes

Information is shared to support child health surveillance, public health initiatives, and statutory programmes.

Safeguarding and Multi‑Agency Partnerships

Police and probation services
Local safeguarding children and adults partnerships
Organisations involved in protecting individuals at risk

Information is shared only when required to safeguard individuals, prevent harm, or respond to circumstances where safety or wellbeing may be at risk.

Statutory and Regulatory Bodies

Government departments
National monitoring and inspection bodies

These organisations may require information to support statutory reporting, compliance, or audit functions. Where possible, this information is anonymised.

Researchers and Analysts

We may share anonymised or pseudonymised information with researchers or approved analysts to support studies that improve public health and wellbeing. Individuals cannot be identified from this information. Identifiable information is not shared for research unless permitted by law and subject to strict controls.

Fraud‑Prevention Agencies

In line with Council‑wide requirements, anonymised or identifiable information may be shared with fraud‑prevention agencies where necessary to detect or prevent unlawful activity. This applies only in specific, legally‑defined circumstances.

When we do not share information

We do not sell your information or share it for marketing purposes.
We only share identifiable information where:

the law allows or requires it
it is necessary for public health or safeguarding purposes
it is needed to deliver or evaluate a public health service
there is a clear public interest in doing so

Wherever possible, information is shared in an anonymised form.

Data Processors

We use a small number of external organisations to support the delivery of Public Health functions. These organisations act as data processors, meaning they process personal information on our behalf and only under our strict instruction. They are not allowed to use your information for their own purposes.

All data processors must:

comply with data protection legislation
follow our security requirements
keep your information confidential
process information only for the purpose of delivering the contracted service
delete or return the information when the contract ends

We may use data processors for the following purposes:

Data storage, analysis, and secure IT systems

Some information is stored in secure systems or platforms hosted by approved IT and cloud‑service providers. These systems support activities such as data management, population health analysis, secure file transfer, and reporting.

Public Health service providers

We commission a range of providers to deliver public health programmes on our behalf, including:

lifestyle and prevention services
substance misuse services
sexual health services
children’s public health services, such as health visiting and school nursing
NHS Health Check providers
other organisations delivering targeted public health interventions

These organisations may process information to arrange appointments, record service activity, monitor outcomes, or provide reports back to the Council.

Survey, audit, and evaluation companies

We may use specialist organisations to help carry out surveys, audits, evaluations, or service assessments. These processors support us in understanding how services are performing and how they can be improved.

Secure communication and data‑handling systems

We sometimes use secure platforms that allow us to:

transfer information safely
manage notifications or alerts
support incident and outbreak management
conduct statistical or population‑level analysis

These systems are subject to strict contract terms and security controls.

Research and analytical services

Where permitted by law, we may use accredited organisations to analyse anonymised or pseudonymised data. These processors help us understand trends, monitor outcomes, and support public health planning. Personal identifiable information is only used where legally required and only under strict controls.

What data processors cannot do

Data processors:

cannot use your information for marketing
cannot sell your information
cannot use your information for their own purposes
cannot share your information without our permission

They must follow our instructions at all times and must keep your information secure.

Data Controller

We are the Data Controller for the personal information processed as part of its Public Health functions. This means we decide why and how your information is used when carrying out its statutory responsibilities to improve and protect the health of the local population.

In some situations, we may act as a Joint Data Controller with other organisations. This applies where two or more organisations work together and jointly determine the purposes and means of processing personal information. For example, we may act as a Joint Data Controller with NHS England or other health partners where information is shared under formal agreements to support national and local public health programmes, statutory health protection duties, or joint analytical work.

When we act as Joint Data Controllers:

each organisation involved is responsible for ensuring that your information is processed lawfully, fairly, and securely
each organisation has defined responsibilities set out in data sharing or joint controller agreements
you may exercise your data protection rights with either organisation, and we will ensure your request is directed to the correct place if required

The Lawful Basis for Processing

Public Health processes personal information to carry out the Council’s statutory responsibilities to improve and protect the health and wellbeing of the local population. We only use your information where it is necessary, relevant, and proportionate to do so.

Personal Data (UK GDPR Article 6)

For most Public Health activities, we rely on:

Article 6(1)(e) – Public Task

Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority.
This includes activities such as population health intelligence, health protection, screening and immunisation oversight, the NHS Health Check Programme, the National Child Measurement Programme, commissioning and evaluating services, and producing statutory public health reports.

We may also rely on:

Article 6(1)(c) – Legal Obligation

Processing is required to meet legal responsibilities, such as certain health protection notifications, civil registration duties, or statutory public health reporting requirements.

Special Category Data (UK GDPR Article 9)

When we process information about health or other special category data, we rely on one or more of the following:

Article 9(2)(i) – Public Interest in Public Health

Used to protect against serious threats to health and to ensure high standards of quality and safety.

Article 9(2)(h) – Health or Social Care

Used where processing is necessary for the management of health care systems or public health services.

Article 9(2)(g) – Substantial Public Interest

Supported by relevant conditions in Schedule 1 of the Data Protection Act 2018.
This applies where we process information for purposes such as:

analysing equality and health inequalities
safeguarding children or adults at risk
preventing or detecting unlawful acts
regulatory, government, or statutory purposes
protecting the public from risks to health or safety

Equality monitoring and analysis is an important part of Public Health functions. Where this requires special category data, it is processed under this Substantial Public Interest condition.

Article 9(2)(j) – Research and Statistics

Used when information is processed for research or statistical purposes in the public interest, with appropriate safeguards in place. Wherever possible, we use anonymised or pseudonymised data.

Criminal‑Offence Data (Data Protection Act 2018, Schedule 1)

Public Health does not routinely use criminal‑offence data.
In rare situations where it is necessary and lawful—for example, for safeguarding or managing serious risks to public health—we may process criminal‑offence information under relevant Schedule 1 conditions such as:

preventing or detecting unlawful acts
protecting individuals at risk
exercising statutory or governmental functions

This information is handled with the highest level of confidentiality.

Common Law Duty of Confidentiality and Consent

Some of the information we receive is classified as confidential patient information. Under the common law duty of confidentiality, we must have a lawful basis to use or share identifiable confidential information other than for direct care. We meet this duty in one of the following ways:

Consent – explicit consent is used where the activity is optional and consent is appropriate.
Statutory requirement or direction – certain laws require or permit the use or disclosure of confidential information for public health purposes.
Approved exemptions (for example, section 251 support) – in specific cases where approval is granted to set aside the common law duty under strict controls.
Overriding public interest – in exceptional circumstances, where disclosure is clearly necessary to prevent serious harm and is appropriately authorised.

We always use anonymised or pseudonymised data wherever this is sufficient to meet our public health purposes.

Legislation we rely on

The legislation we rely on when using your personal information to meet our legal obligations or carry out our public health tasks includes, but is not limited to:

Health and Social Care Act 2012 – sets out the core statutory public health duties of local authorities, including health improvement, health protection, and population health intelligence.
Health Protection (Notification) Regulations 2010 and Public Health (Control of Disease) Act 1984 – provide the legal basis for receiving and using information to prevent and control the spread of infectious diseases.
NHS Act 2006 (as amended) – underpins many public health functions, including screening, immunisation, and arrangements with NHS England.
Local Authority (Public Health Functions and Entry to Premises by Local Healthwatch Representatives) Regulations 2013 – set out the mandatory public health services delivered by local authorities, including the National Child Measurement Programme, NHS Health Checks, and sexual health services.
Children and Families Act 2014 – supports information sharing relating to children’s health, early years services, and child development.
Care Act 2014 – provides duties relating to safeguarding adults and cooperation across health and social care.
Civil Contingencies Act 2004 – provides duties relating to emergency planning and response, including public health emergencies.
Equality Act 2010 – enables the processing of information required for equality monitoring, understanding health inequalities, and meeting the Public Sector Equality Duty.
Statistics and Registration Service Act 2007 – governs the use of birth and death registration information for public health purposes.
Safeguarding legislation (including the Children Act 1989, Children Act 2004, and related statutory guidance) – supports the lawful sharing of information to protect children and young people.
Counter‑Terrorism and Security Act 2015 – provides a basis for information sharing relevant to safeguarding and reducing risks to individuals or the public where applicable.
Local Government Act 1972 and Local Government Act 2000 – support information processing for the delivery of local authority functions.

This list is not exhaustive. Additional legislation may apply depending on the specific public health function or statutory responsibility being delivered.

International Data Transfers

Public Health mainly stores and processes personal information within the United Kingdom. In most cases, your information will not be transferred outside the UK. However, there are specific circumstances where international transfers may be necessary to support public health functions and to ensure that individuals arriving from or returning to another country can access appropriate services.

We may transfer information internationally in the following situations:

When supporting asylum seekers, refugees, or individuals who have recently arrived from another country

If you have recently entered the UK, or if you are receiving support as an asylum seeker or refugee, we may need to request or receive information from overseas health authorities, international agencies, or organisations involved in your care or protection. This may help us understand your health needs, identify vulnerabilities, or ensure continuity of support.

When individuals move abroad or return to another country

If you tell us that you are moving overseas, we may need to share limited information with health authorities, legal representatives, or service providers in the destination country to support safe transfer, continuity of care, or to resolve any outstanding public health matters.

When international organisations are involved in supporting you

Some people may receive support from organisations based outside the UK, including those assisting migrants, displaced persons, or victims of exploitation. Information is only shared in these circumstances where it is necessary, proportionate, and lawful.

How we protect your information during international transfers

Whenever personal data is transferred outside the UK, we ensure your information remains secure by applying one or more of the following safeguards:

Adequacy decisions – data is only transferred to countries that the UK Government has assessed as providing an adequate level of data protection.
Standard Contractual Clauses or International Data Transfer Agreements – legally binding safeguards used when sharing information with organisations in countries without an adequacy decision.
Robust technical and organisational measures – such as encryption, access controls, secure transfer systems, and restricted access.
Careful assessment – each transfer is evaluated to ensure it is necessary, proportionate, and in your best interests.

Transfers made at your request

If you ask us to share information with individuals or organisations outside the UK — for example, family members, representatives abroad, or overseas agencies providing you with support — we will explain what information is required and may request your explicit consent before sharing it.

Consent is used only where the transfer is optional and no other lawful basis applies.

Transfers for public health protection

In exceptional circumstances, information may be shared internationally to prevent or manage a serious risk to public health. Such disclosures are tightly controlled, limited to what is necessary, and carried out in accordance with legal requirements.

Retention Period

We only keep your personal information for as long as it is needed to deliver Public Health functions, meet our legal responsibilities, and respond to any enquiries, complaints, audits, or legal challenges. After this time, information is securely deleted or archived in line with the Council’s Records Management Policy and Corporate Retention Schedule.

The following retention periods apply to Public Health information:

Public Health case records and health protection information

Records relating to public health case management, health protection activity, incident investigations, and operational notes are normally retained for 7 years after the case or involvement ends.

Children’s Public Health information

Where Public Health is involved in child health programmes or safeguarding activity, information is retained for the statutory periods used for children’s records:

Until the child’s 25th birthday, or
Until the child’s 31st birthday, where the record relates to long‑term health assessments or continuing needs.

Safeguarding‑related Public Health information

Where Public Health information forms part of safeguarding concerns or legal processes, records may be retained for up to 25 years, depending on the nature of the case and statutory requirements.

Population programmes, screening, immunisation and measurement data

Information relating to population‑level programmes, such as the National Child Measurement Programme, NHS Health Checks, screening oversight or immunisation monitoring, is generally retained for 7 years.

Where the information is used to produce anonymised statistical or longitudinal datasets, the anonymised information may be held for longer.

Birth and death registration‑derived information

Some public health intelligence relies on data from statutory registration.
Long‑term, aggregated or anonymised datasets may be retained permanently for statistical, historical, or analytical purposes.

Working copies or extracts are typically retained for 7 years.

Commissioned service and contract records

For services commissioned by Public Health (such as sexual health, substance misuse, lifestyle services or children’s health services), contract records are retained in line with contract type:

7 years after the contract ends for standard contracts
12 years after the contract ends for contracts signed under seal

Complaints, enquiries and feedback

Public Health complaint and enquiry records are retained for:

2–3 years for routine complaints
7 years for serious or escalated complaints

Research, evaluation and analysis records

Where information is used for research, analysis or evaluation:

Personal identifiers are removed as early as possible
Temporary working notes are deleted when no longer required
Anonymised datasets may be retained indefinitely where they are of ongoing public health value

Exceptional circumstances

We may retain information for longer where:

a complaint, audit, safeguarding enquiry or legal claim is ongoing
national inquiries or statutory investigations require it
the information is needed for statutory, governance or accountability purposes

Any decision to extend a retention period is made in line with the Council’s Records Management Policy and with appropriate governance oversight.

Your Rights

The UK GDPR provides you with a several rights to control what personal information is used by us and how it is used by us.

Further guidance about these rights can be accessed from the Information Commissioner’s Office (ICO) website

If you are not happy about the way your personal data is being used, or you require further information about how we process your personal data, you can contact Council’s Data Protection Team:-

Online: Contact the DPO
By post: Data Protection Officer, The Portal, Wellington Road, Ellesmere Port, CH65 0BA

You also have the right to complain to the Information Commissioner’s Office using the following details:

Online: Information Commissioner's Office (ICO)
Instant Message: Live Chat
By post: The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
Phone: 0303 123 1113