Public Health - privacy notice

Who we are

Derby City Council is the local government unitary authority for Derby city. Our address is the Council House, Corporation Street, Derby, DE1 2FS. You can contact our Data Protection Officer on 01332 640763 or by email at data.protection@derby.gov.uk.

How do we collect information from you?

We collect information from you when you visit www.derby.gov.uk, when you fill in any forms using our customer portals or on our website, including myAccount; also when you contact us in writing, speak to us on the phone, by email or any other type of electronic communication, or talk to us face to face. We may collect information from a setting you attend, such as a school or care home, where this data collection is necessary for the following purposes listed.

What types of information do we collect from you?

We collect different categories of information about you, depending on the service you want from us and/or the reason why we need to process information relating to you. This could be personal information (for example your name and address), or other more sensitive data that we would only collect and use in very particular circumstances that are set out in law.

Should you wish to exercise your statutory rights, outlined below, then we may request information from you to verify your identification such as a copy of your passport or driving licence. 

Details of information obtained from third parties?

Purpose of collecting the data

As a local authority, we have a duty to improve the health of our local population. We use the information and data we collect to measure the health, mortality or care needs of the population; to identify risks to the public's health and identify opportunities to improve the public’s health, and to inform the planning, evaluation and targeting of health, care and public health services.

We work with many types of data to be able to promote health and support improvements in the delivery of health and care services for the people of Derby:

1. Identifiable data – this is personal data that can identify individuals, such as name, date of birth, gender, address, postcode and NHS number.
2. Pseudonymised data – this contains information about individuals but with the identifiable details replaced with a unique code.
3. Anonymised data – all identifying details are anonymised so individuals can not be identified.
4. Aggregated data – this is data that has been grouped together so that it doesn’t provide information on individuals, only groups of people.

We are committed to using aggregated, pseudonymised or anonymised information as much as possible. Where necessary, personal or sensitive identifiable data may be shared with us by another organisation due to us being part of a service they are providing, or as part of research and intelligence necessary for Public Health functions, such as informing decisions on the design and commissioning of services, or to safeguard and protect the health of the local population.

We receive information from organisations such as:

• UK Health Security Agency (UKHSA)
• the Office for National Statistics
• NHS Digital
• national and local NHS bodies and Clinical Commissioning Group
• local authorities
• Derbyshire Constabulary
• Derbyshire Probation Trust
• education settings
• other organisations that provide services on our behalf
• settings that provide accommodation for large numbers of people (e.g., prisons, university halls, asylum seeker accommodation)

How is your information used?

In accordance with s.10 of the Data Protection Act 2018; we may use your information to enable us to carry out specific public health functions which we are responsible for, such as:

• control of infection and outbreaks
• sexual health services
• drug and alcohol treatment services
• management of risks to Public Health
• lifestyle and behaviour change services
• organising the National Child Measurement Programme
• organising the NHS Health Check Programme
• organising and supporting the 0-19 public health nursing services.

We may also use your information to:

• support the reduction and impact of violence in the city
• safeguard children and vulnerable adults, for example, by reviewing child deaths in the city and deaths related to drugs and alcohol.

The Public Health team also uses the information to derive statistics and intelligence for research and planning purposes, which include:

• • producing assessments of the health and care needs of the population, in particular, to support the statutory responsibilities of the:
  • Joint Strategic Needs Assessment (JSNA)
  • Director of Public Health Annual report
  • Health and Wellbeing Strategy
• informing planning (for example) for the design and commissioning of services
• to assess the performance of the local health and care system and to evaluate and improve them
• to report summary statistics to national organisations
• to undertake analysis of trends in terms of health needs and use and access to service.

In these cases, the information is used in such a way that individuals cannot be identified from them and personal identifiable details are removed as soon as possible in the processing of intelligence.

COVID-19/Coronavirus

Coronavirus has been added as a notifiable disease under the Health Protection (Notification) Regulations 2010. Under the Public Health (Control of Disease) Act 1984 and associated Regulations; the Council has a legal duty to store, process and share personal information. The information will be stored, processed and shared as part of investigations into COVID-19 cases and outbreaks and issues of non-compliance with the acts and associated regulations. The information will also be used; interrogated and mapped to inform the Councils actions and decision-making processes. Any such storage, processing or sharing of information will be done in the public interest in order to promote health and wellbeing.

During the investigation of cases and/or outbreaks of Coronavirus, information which is gathered may be shared between departments within Derby City Council; with other Councils associated with an outbreak; other health services or with other government bodies associated with the control of the Coronavirus. The Council has a duty to notify national Government bodies, such as the UK Health Security Agency and the relevant local authority where an individual resides (if different), where there are suspected Coronavirus cases. The Council will disclose the information under Article 9(2)(j) of the UK GDPR (processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health), and confidential information may be lawfully disclosed in the public interest, without consent, where the benefits to an individual or to society outweigh both the individual’s and the public interest in maintaining the confidentiality of such data.

The Council may contact staff, service users, residents, patients, businesses and premises with messages relating to Coronavirus by text, phone, letter or email. This contact is not direct marketing; therefore we do not need your Consent before contacting you. There is more information available on the Information Commissioners Office's website.

We may use contact details held in Council systems to ensure that we are able to contact you, and to ensure that we are working from accurate and up to date information. Such information will be accessed and processed where it is necessary to comply with our legal obligations and public tasks arising from the Coronavirus Act 2020, the Health Protection (Notification) Regulations 2010 and the Public Health (Control of Disease) Act 1984, the Care Act 2014 and associated Regulations.

Research and statistics

Anonymised and pseudonymised data may be used for research and statistical purposes. Any data collected may be used for research and statistical purposes that are relevant and compatible with the purpose that the data was collected for.

Who has access to your information?

We may share your information with the following third parties for the reasons detailed:

• Other Council Departments, Derby Homes, and schools in Derby (if appropriate) – for example, to ensure we meet our statutory duties.
• Statutory agencies, such as the Police – we may share your information with statutory agencies in line with our legal obligations and/or in completion of our public tasks.
• Other organisations, such as those delivering services on our behalf, as appropriate to meet our public health responsibilities.

Your information will only be shared with these third parties where we have your consent or in meeting our legal obligations or completion of our public tasks.

We will not sell or rent your information to third parties. We will not share your information with third parties for marketing purposes.

What are your rights?

• Access – you can request copies of any of your personal information that is held by the Council.
• Rectification – you can ask us to correct any incorrect information.
• Deletion – you can ask us to delete your personal information. The Council can refuse to delete information if we have a lawful reason to keep this.
• Portability – you can ask us to transfer your personal data to different services or to you.
• Right to object or restrict processing – you have the right to object to how your data is being used and how it is going to be used in the future.
• Right to prevent automatic decisions – you have the right to challenge a decision that affects you that has been made automatically without human intervention, for example an online form with an instant decision.

National Data Opt Out

We are one of many organisations working within health and social care to improve health and wellbeing for patients as well as the public. Information collected from you when you use our services may be stored and shared with services or partner organisations for purposes other than your individual care, for instance to help with:

• Improving the quality and standards of care provided
• Research into the development of new treatments
• Preventing illness and diseases
• Monitoring safety

This may only take place when there is a clear legal basis to use this information. Confidential information about your health and care will only be used in limited circumstances where it is not possible to use anonymised data.

You have a choice about whether you want your confidential information to be used in this way. If you are happy for your information to be used in this way you do not need to do anything. If you do choose to opt out your confidential patient information will still be used to support your individual care.

For more information or to register your choice to opt out please visit https://www.nhs.uk/your-nhs-data-matters/. You can choose to opt in at any time.

Please be aware that the National Data Opt Out does not apply to information used for marketing purposes, your data would only be used in this way with your specific agreement.

All Health and Social Care organisations should have systems and process in place so they can be compliant with the national data opt-out and apply your choice to any confidential patient information they use or share for purposes beyond your individual care.

Our organisation is compliant with the national opt out policy.

How long will we keep your information for?

We keep and dispose of all records in line with our record retention schedule. We will comply with Data Protection legislation.

What security precautions are in place to protect the loss, misuse or alteration of your information?

We are strongly committed to data security and will take reasonable and appropriate steps to protect your personal information from unauthorised access, loss, misuse, alteration or corruption. We have put in place physical, electronic, and managerial procedures to safeguard the information you provide to us. However, we cannot guarantee the security of any information you transmit to us. We recommend that you take every precaution to protect your personal information.

Keeping your data up to date

We want to ensure any information we hold is accurate. You can help us by promptly informing us of any changes to the information we hold about you.

Details of any automated decision processes

Public health does not use your information for any automated decision-making.

Under 13

If you are accessing online services and are under the age of 13‚ please ask for your parent or guardian's permission beforehand whenever you provide us with personal information

Cookies

Cookies are small text files which identify your computer to our servers. They are used to improve the user experience. View what cookies we use and how you can manage them.

IP addresses

Internet Protocol (IP) addresses are collected when our site is used:

• for statistical or analytical purposes
• to identify any malicious activity.

Complaints

If you would like to make a complaint regarding the use of your personal data you can contact our Data Protection Officer:

• By post: Information Governance, Council House, Corporation Street, Derby, DE1 2FS
• By phone: 01332 640763
• By email: data.protection@derby.gov.uk

For independent advice about data protection, privacy and data sharing issues, you can contact the Information Commissioner's Office (ICO):

• By post: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
• By phone: 0303 123 1113 (local rate) or 01625 545 745 if you prefer to use a national rate number

Alternatively, visit ico.org.uk or email casework@ico.org.uk.