Public Health privacy notice
We have a responsibility to carry out public health duties effectively and efficiently in order to help improve the health of the population we serve.
We have a wide range of responsibilities including understanding the health and wellbeing needs of our local population, addressing health inequalities, and improving our health.
In order to achieve this we need information to help us:
- measure the health, mortality or care needs of the population
- plan, evaluate or monitor health
- protect and improve public health and wellbeing
Who do we hold information about?
We hold information for public health purposes about people we directly provide a service to and people for whom we have a responsibility for in respect of our public health functions.
This includes all Staffordshire residents, people receiving health and care services in Staffordshire, and people who work or attend school in Staffordshire. Under our statutory obligation to provide a public health advice service to our local NHS clinical commissioning groups (CCGs), this also extends to people registered with a general practice within Staffordshire.
What type of information do we collect?
- Personal data - containing personal data that can identify individuals and may include name, address or postcode, date of birth, gender and NHS number
- Pseudonymised data - this contains information about individuals but with the identifiable details (e.g. NHS number) replaced with an alternative code or number
- Anonymised data - this is information about individuals that has had identifying details removed
- Aggregated data - data which has been grouped together so it is not at individual level but groups of people
Where possible we always look to use anonymised or pseudonymised data rather than using identifiable personal data.
How do we collect information?
Information may be provided to us directly by you when you sign up to use a service we are responsible for. Additionally, information may be shared with us by another organisation due to us having a role in a service they are providing, or as part of research and intelligence necessary for public health functions, such as informing decisions on the design and commissioning of services, reporting, or identifying public health patterns and trends.
Organisations which may share data with us include the Office for National Statistics (ONS), NHS Digital, NHS providers and other local authorities.
The following is data we receive from NHS Digital which is supplied to us under a data sharing agreement (DSA). This data is only supplied to us by NHS Digital under strict data disclosure controls:
- Hospital Episode Statistics (HES) – pseudonymised records about health care and treatment of patients within any English hospital. This contains data collected when someone is admitted to a hospital bed, treated as a day patient, attends as an outpatient, or attends urgent care centre for example Accident & Emergency department. This data includes the patient’s age, method of admission, source of admission, diagnosis codes, procedure and investigation codes, area of residence, hospital attended, date of attendance and GP practice of patient.
- Primary Care Mortality Database (PCMD) – The PCMD provides access to identifiable mortality data which is based on death registrations. The data includes the address, postcode of residence of the deceased and the place of death, NHS number, date of birth, date of death, name of certifier, and cause of death. No names are included. Access is only to deaths relating to individuals which are registered within Staffordshire and Stoke-on-Trent’s GP practices, deaths which occurred within Staffordshire and Stoke-on-Trent’s borders or that relate to Staffordshire and Stoke-on-Trent residents. The access to this database is via a secure internet connection.
- Births data tables – This dataset provides us with access to identifiable data about the number of births that occur within Staffordshire and Stoke-on-Trent. It includes the address of usual residence of the mother, place of birth, postcode of usual residence of the mother, postcode of place of birth of the child, NHS number of the child and the date of birth of the child. No names are included.
- Vital statistics tables – This is a statistics dataset so it does not identify individuals. It contains figures and data on live and still births, fertility rates, maternity statistics, death registrations and cause of death analysis.
- Personal Demographics Service (PDS) – Individuals NHS numbers are sought from PDS. This is the national electronic database of NHS patient details such as name, address, date of birth and NHS Number.
How do we use information?
Our Strategy Team uses data and information to understand more about the nature and causes of disease and ill-health, and about the health and care needs in the area. This allows risks to public health to be identified and also to consider opportunities to improve the County’s health. The data informs the evaluation and targeting of health and care and the public health services that are offered. No identifiable data is published, anonymised or pseudonymised.
Some examples of how we use Office for National Statistics and NHS Digital data include:
- joint strategic needs assessments (JSNAs)
- joint health and wellbeing strategies
- the annual report of the Director of Public Health
- reports commissioned by the Health and Wellbeing Board
- public health and wider local authority health and wellbeing commissioning strategies and plans
- public health advice to NHS commissioners
- local health profiles
- specific projects which require information and intelligence on the health and wellbeing of the population
How do we look after your information?
Under data protection legislation we have a legal duty to protect any information that we use or collect from you. We take measures to safeguard your data and apply security standards and controls to prevent any unauthorised access to it. Information which you have provided the council will be stored securely and in line with our information security policy.
Information is only made available only to professionals who have a business need to see it.
All staff who are using information also undertake regular training to comply with policies and procedures around data protection, information security, confidentiality and the safe handling of information.
The amount of time data is kept before being disposed of will vary depending on why it was collected, how it is used, and in line with any applicable UK laws. The Council also has a retention and disposal schedule which give details about how long we keep data.
When will we share your information?
Information is only shared with other organisations where their involvement is required to provide a service, for us to comply with our public health responsibilities.
What is the legal basis for holding and processing your information?
The legal basis for processing your personal information for non-direct care purposes is:
Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.
This is processed under General Data Protection Regulation - Article 6 (e) – necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
How can I opt out of the public health datasets?
You have the right to opt out of Staffordshire County Council’s Public Health Team receiving or holding your personal identifiable information.
Where possible we will seek to comply with your request; however there are occasions where we have a legal duty to share information, for example for safeguarding or criminal issues. The process for opting out will depend on what the specific data is and what programme it relates to.
For further information, please contact us.
Covid-19 Test and Trace
The UK Government have announced that the Covid-19 Test and Trace service, which will form a central part of the government’s coronavirus recovery strategy, will be launched across England on the 28 May 2020. The aim of the service is to help identify, contain and control the virus and save lives whilst also safely lifting lockdown restrictions on a national level.
For this to be effective it is vital that the sharing of data takes place between organisations involved in outbreak planning and response.
Organisations we may share data with will include but won’t be limited to other neighbouring local authorities, Public Health England (PHE) and education settings.
Purpose for sharing and processing your data
Your personal data may be processed and shared to help us to:
- Understand Covid-19 related risks in local settings, such as schools and care homes, and support these settings in managing any incidents or outbreaks
- Managing and monitoring responses to Covid-19 outbreaks in local settings
- Conduct contact tracing in cases where dedicated national test and trace teams cannot make contact with a resident within a set period of time
What data will be shared?
Data shared will mostly consist of information relating to settings who have reported incidents to us or PHE. This will consist of the setting name, postcode, contact details and number of confirmed cases. In cases where NHS test and trace cannot make contact with a resident their personal data will be shared with the local authority so that local public health teams can conduct contact tracing, this could consist of:
- Sex
- Age
- Postcode
- Ethnic Group
- Occupation
- Key Worker Status
- Covid-19 Test and Location
The lawful basis holding and processing this information
All processing of personal data must be carried out in accordance with the Data Protection Act 2018, The General Data Protection Regulations (GDPR) and any associated codes of practice issued by the Information Commissioners Office.
Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 in accordance with the ‘Covid-19 – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002’ from the Secretary of State for Health and Social Care to Local Authorities in England dated 20 March 2020 provides the common law duty for processing data.
The lawful bases as per the GDPR for processing data in response to Covid-19 Test and Trace are:
- Article 6.1.(e) - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; and
- Article 9.2.(i) – processing is necessary for reasons of substantial public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care.
Duration of processing
Information will be processed until the 30 September 2020 or until such time as the ‘Covid-19 – Notice under Regulation 3(4) of the Health Service Control of Patient Information Regulations 2002’ from the Secretary of State for Health and Social Care to Local Authorities in England dated 20 March 2020 is extended.
What are my rights?
Under the data protection legislation you, as the data subject, you have the right to:
- Access the information we hold about you.
- Request that we rectify any information about you that is incorrect. Simple inaccuracies, such as address changes will be made. Depending on the purpose for processing, records (including statements and opinions) may not be changed. However, there may be the option for you to provide a supplementary statement which can be added to our records.
- Request that records we hold about you are erased.
- Restrict processing of the information we hold about you if you have an objection to that processing, whilst your objection is investigated.
- Request that any information that you have provided to us is given back to you in a format that you can give to another service provider if required.
- Object to processing of your personal information including automated decision making and profiling.
- Make a complaint to a supervisory authority if you are not satisfied with how the information held about you has been handled.
Because we collect and process personal information about individuals, we are registered as a ‘Data Controller’ under Data Protection legislation. Please contact us if you have any questions about the information we hold about you, or if you have a complaint about privacy or misuse of data.
Staffordshire County Council’s Data Protection Officers
Contact details are as follows:
Email: dpo@staffordshire.gov.uk
Address:
Data Protection Officer,
Information Governance Unit,
Staffordshire County Council,
1 Staffordshire Place,
Stafford,
ST16 2LP
The county council’s overarching privacy notice can be found on our privacy notice page.
Information Commissioner's Office
The Information Commissioner’s Office is the national regulator who upholds information rights in the UK and can provide independent guidance.
Further information is available from the Information Commissioner’s Office (ICO) about:
- data controller registration (notification)
- data protection principles
- raising concerns about how information is handled
Phone: 0303 123 1113
Postal address:
Information Commissioner’s Office,
Wycliffe House,
Water Lane,
Wilmslow,
Cheshire,
SK9 5AF