Public Health Privacy Notice
All local authorities have a duty to improve the health of the population they serve. To help us do this, we use data from a range of sources including the Office for National Statistics, NHS Digital, Bexley Clinical Commissioning Group hospitals and residents to understand more about the nature and causes of disease and ill health in Bexley.
The Public Health team at the London Borough of Bexley also have a legal status allowing the processing of personal confidential data for certain public health purposes. The statutory responsibilities for public health services are clearly set out in the Health and Social Care Act 2012. Bexley Council is registered with the Information Commissioners Office (ICO) under the provisions of the Data Protection Act 2018. Any personal information we hold is collected and processed in accordance with the requirements of the Data Protection Act 2018, EU General Data Protection Regulation (GDPR) and the Caldicott Principles.
This Privacy Notice should be read in addition to the Bexley Council Corporate Privacy Notice and gives more details about how personal information is collected to improve the health of Bexley residents.
Who do we collect information about?
Bexley Council collects and holds information for public health purposes about all to whom it has a public health duty of care may include:
- residents of Bexley
- people receiving preventative, health, and social care services in Bexley
- people who work or attend school in Bexley
What personal information do we process?
We work with many types of data to be able to promote health and support improvements in the delivery of health and care services in Bexley. Broadly these can be described as:
- Special Category data – personal data which is more sensitive including race, ethnic origin, politics, religion, trade union membership, genetics, biometrics (where used for ID purposes), health, sex life or sexual orientation. Depending on the service, the provider may require information about your health or other data which is classed as sensitive. Further information can be found in the Data Protection Act 2018
- Identifiable data – this is personal data that can identify individuals such as name, date of birth, gender, address, postcode and NHS number. Personal information includes expressions of opinion about an individual or any indications of intention in respect of the individual
- Pseudonymised data – this contains information about individuals but with the identifiable details replaced with a unique code. The purpose is to render the data record less identifying and therefore lower customer or patient objections to its use
- Anonymised data – all identifying details are anonymised so individuals cannot be identified
- Aggregated data – data that has been grouped together so that it does not provide information on individuals, only groups of people
Bexley Council Public Health is committed to using pseudonymised or anonymised information as much as is practical, and in many cases, this will be the default position.
What is the purpose of processing your personal information?
Bexley Council Public Health uses personal identifiable information about residents and users of health care, to enable it to carry out specific functions for which it is responsible, such as:
- control of infection and health protection activities
- management of risks to public health
- organising the National Child Measurement Programme
- organising the NHS Health Check Programme
- organising and supporting the 0 to 19 Children’s Public Health Service (Health visiting and school nursing)
- contract monitoring of adult weight management service to satisfy eligibility is met
- improving health outcomes, evaluating the quality of services and patient experience
Bexley Council Public Health also uses information about residents and users of health care to derive statistics and intelligence for research and planning purposes. In these cases, personal identifiable details are removed as soon as is possible in the processing of intelligence so that individuals cannot be identified from them.
This enables Bexley Council Public Health to carry out specific functions for which it is responsible, such as:
- producing assessments of the health and care needs of the population, in particular, to support the statutory responsibilities of the:
- Joint Strategic Needs Assessment (JSNA)
- Director of Public Health Annual report
- Health and Wellbeing Strategy
- identifying priorities for action
- informing decisions on, for example, the design and commissioning of services
- to assess the performance of the local health and care system and to evaluate and develop them
- to report summary statistics to national organisations
- undertaking equity analysis of trends, particularly for vulnerable groups
- to support clinical audits
What are the lawful bases for processing your personal information?
In order to fulfil the local authority public health responsibilities set out in the Health and Social Care Act 2012, Bexley Council has a legal basis to process personal confidential data for certain public health purposes:
- GDPR Article 6(1)(e) Lawfulness of processing - to allow us to perform a public task carried out in the public interest or in the exercise of official authority vested in the controller
- GDPR Article 9(2)(i) Processing of special categories of personal data - for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy
Information may also be provided directly by you as members of the public to The Council when you sign up to use a service. This is collected in appropriate systems and used to provide or administrate that service. These systems are access controlled, so only relevant employees have access to them. With consent, we may also make referrals to other services, such as a GP from these systems.
If the legal basis for processing is explicit consent, we will need to ensure you are provided with a:
- clear explanation of exactly what is being consented to
- clear “opt-in”
- clear option to withdraw your consent later by use of an “opt-out”
What identifiable data do we collect?
Bexley Council Public Health and our commissioned service providers collect identifiable data for the following public health programmes and services:
- National Child Measurement Programme (NCMP)
- Immunisations and control of infection
- Drug and alcohol treatment services
- Sexual health services
- 0-19 services
- School nursing services
- Lifestyle and behaviour change services
- NHS population screening programmes
- Public health initiatives
- Health and social care use including GP services, hospital services, NHS community services, mental health services, social care services
- Business owner names and contact details for the Healthier Catering Commitment
- Public Health events during which contact details of residents who provide us with feedback from the events are collected.
- Public Health England’s Data Capture System - Provides an integrated data reporting and analysis system for the mandatory surveillance of Staphylococcus aureus, Escherichia coli, Klebsiella spp., Pseudomonas aeruginosa bacteraemia and Clostridium difficile infections. This data is available to Infection prevention and control and health protection professionals to enable the required mandatory surveillance including Post infection Reviews of clostridium difficile infections and methicillin resistant staphylococcus (MRSA) blood stream infections.
- Each commissioned provider will collect different data in order to provide each service. The data is likely to be:
- Date of birth
- NHS number
- Contact phone number
- Details of circumstances relevant to the service being provided (for example: gender, occupation, ethnicity etc.)
London Borough of Bexley has access to the following data from NHS Digital which is supplied under a Data Sharing Agreement (DSA) and in accordance with Section 42(4) of the Statistics and Registration Service Act 2007 as amended by Section 287 of the Health and Social Care Act 2012, and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002. This data is only supplied by NHS Digital under strict license and data disclosure controls:
- Primary Care Mortality Database (PCMD) – the PCMD provides Bexley Council with identifiable mortality data which is based on death registrations. The data includes the address, postcode of residence of the deceased, postcode of the place of death, NHS number, date of birth, date of death, name of certifier, and cause of death but not names. Our access is limited to those deaths which occurred within Bexley’s borders, deaths in Bexley residents and deaths in the registered population of GP Practices within Bexley’s Clinical Commissioning Group
- births data tables – this dataset provides Bexley Council with access to identifiable data about the number of births that occur within Bexley (London Borough of Bexley and Bexley Clinical Commissioning Group). It includes the address of usual residence of the mother, place of birth, postcode of usual residence of the mother, postcode of place of birth of the child, NHS number of the child and date of birth of the child but no names
- vital Statistics tables – this dataset provides Bexley Council with aggregated data which does not identify individuals. It contains data on live and stillbirths, fertility rates, maternity statistics, death registrations and cause of death analysis within Bexley (London Borough of Bexley and Bexley Clinical Commissioning Group)
- Hospital Episode Statistics (HES) – HES is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England. This data is collected during a patient’s time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is use for non-clinical purposes, of this administrative data and contains pseudonymised records.
How do we keep information secure?
We are required to comply with the Data Protection Act 2018 to ensure information is managed securely and this is reviewed every year as part of our NHS Data Security and Protection Toolkit assessment (formerly NHS Information Governance Toolkit).
In order to comply with this, Bexley Council Public Health abd our commissioned service providers use the following measures:
- any personal identifiable data is sent or received using secure email
- all data is stored electronically on encrypted equipment and is managed using the principles of medical confidentiality and data protection
- the number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all of whom undertake regular training about data protection and managing personal information
- confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations with the permission of the Caldicott Guardian, once the necessary legal basis has been established and data protection safeguards have been verified so that the data is managed and used under the same restrictions. Anyone who receives information from Bexley Council Public Health is also under a legal duty to keep it confidential
- we only keep hold of information for as long as is necessary. This will depend on what the specific information is and the agreed period of time. Data is permanently disposed of after this period, in line with Bexley Council’s Retention Schedule or specific requirements of the organisation who has shared the data with us
- in relation to the specific NHS Digital datasets described above, the data will only be processed by Local Authority employees in fulfilment of their public health function, and will not be transferred, shared, or otherwise made available to any third party, including any organisations processing data on behalf of the Local Authority or in connection with their legal function
Who do we share information with?
We will generally only allow your personal information to be used by those Council staff who need the data to perform their functions.
The following are Data Processors collecting information for the purpose of providing Public Health services on behalf of the London Borough of Bexley:
- Bexley Stop Smoking Service
- The Pier Road Project
- Everyone Health
- Adult Weight Management Programme contracted through Slimming World
- GP Practices delivering the NHS Health Checks programme
- Research partners using anonymised personal data
- Public Health England
- Bexley Clinical Commissioning Group (CCG)
- other Local Authorities
- Organisations that are commissioned or engaged for specific short-term health projects or initiatives
There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues. Your data will not be shared or stored in or be accessible to any country with no UK-equivalent Privacy Law protection.
Your individual rights and further information
The London Borough of Bexley is a ‘data controller’ as we collect and process personal information about you. The information we collect is used in accordance with data protection and other relevant legislation outlined in previous sections. For more information about how Bexley Council processes your information, including your rights with regards your personal data that we are in possession of or processing, please see the Corporate Privacy Notice.
To exercise any of your rights, please contact the Bexley Council Data Protection Team or the Public Health Team using the contact details below:
Data Protection Team
London Borough of Bexley
2 Watling Street
Kent DA6 7AT
London Borough of Bexley
2 Watling Street
Kent DA6 7AT
The Information Commissioner’s Office is the UK’s independent authority set up to uphold information rights in the public interest. Further information and independent advice, including complaints, can be found on the Information Commissioner’s Office website.
NHS National Data Opt-out
National data opt-outs apply to a disclosure when an organisation, for example a research body, confirms they have approval from the Confidentiality Advisory Group (CAG) for the disclosure of confidential patient information held by another organisation responsible for the data (the data controller) such as an NHS Trust (or for this notice Bexley Public Health).
The CAG approval is also known as a section 251 approval and refers to section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be disclosed without the data controller being in breach of the common law duty of confidentiality.
In practice, this means that the organisation responsible for the information (the data controller) can, if they wish, disclose the information to the data applicant, for example a research body, without being in breach of the common law duty of confidentiality. To be clear - it is only in these cases where opt-outs apply and were Bexley Public Health to have such an agreement in place we would apply the opt-out. Currently no such agreements exist. Further information about this programme, including how to opt-out, can be found on the NHS Digital website.