We keep the Public Health Privacy Notice under review. It was last reviewed and updated in September 2022.
If you have any questions about this Privacy Notice contact the council’s Data Protection Officer.
View the privacy and transparency information for all of the City of York Council (CYC).
- Personal data
- Collecting personal data
- Using personal data
- Our legal basis for using personal data
- Sharing personal data
- Retaining personal data
- Further processing of personal data
- Your rights relating to personal data
Since April 2013 the Health and Social Care Act 2012 has given local authorities the power to perform public health functions. This means that we have "a duty to improve the health of the people and responsibility for commissioning appropriate public health services" and the statutory responsibilities for public health services are clearly set out in the Health and Social Care Act 2012.
To deliver public health, local authorities need to use available health data sources to get relevant health and social care information. This data can contain person identifiable data (PID) which may identify patients such as:
- use of hospital services
- NHS Number
Some data may not be obviously identifiable; however there may be the potential to identify individuals through combinations of information, either by the people handling the data or by those who see published results.
See further details about how we define personal data and non-personal data.
Collecting personal data
We collect and hold personal data for public health purposes about:
- residents of York
- people receiving health and care services in York
- people who work or attend schools in York
We have a public health duty of care to all of these groups.
We may also collect and hold personal data where we are providing training. For example to frontline workers and volunteers.
Primary Care Mortality Database (PCMD)
We have access to the PCMD, which holds:
- mortality data as provided at the time of registration of the death
- additional GP details
- geographical indexing
- coroner details where applicable
Births and Vital Statistics datasets
We have access to births files, which include:
- date of birth
- birth weight
- place of birth
- stillbirth indicators
- age of mother
We have access to deaths data, which includes deaths broken down by:
- cause of death sourced from the deaths register
Using personal data
The Public Health Team will access health and related personal data to analyse the health needs and outcomes of the local population and for monitoring trends and patterns of diseases and the associated risk factors.
All information accessed, processed and stored by the Public Health Team will be used to measure the health, mortality or care needs of the population.
The information is used for planning, evaluating, monitoring, protecting and improving public health. It's used to carry out and support:
- health needs assessments
- health equity analysis
- commissioning and delivery of services to promote health and prevent ill health
- public health surveillance
- identifying inequalities in the way people access services
- joint strategic needs assessment
- health protection and other partnership
The Public Health team is committed to using pseudonymised or anonymised information as much as is practical, and in many cases this will be the default position.
- Pseudonymisation is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. The purpose is to render the data record less identifying and therefore lower customer or patient objections to its use
- Anonymisation is the process of removing identifying particulars or details from something, especially medical test results, for statistical or other purposes
Where we use Survey Monkey to conduct surveys, you can find out how they use your information by viewing the Survey Monkey Privacy Notice.
Where we use Microsoft 365 (MS365) recording or transcriptions, we will let you know. See the City of York Council Microsoft Office 365 (MS365) Teams Meeting including recording and transcription privacy notice.
We work with local pharmacies and hybrid providers to supply Healthy Start vitamins to those who are eligible under the National Healthy Start Scheme. You can find out how your information is used through the Healthy Start Privacy Notice (NHSBSA).
Our legal basis for using personal data
Depending on the processing activity being undertaken by Public Health we will rely on one or more of the following lawful basis for processing your personal data under the UK GDPR:
- Article 6(1)(b) which relates to processing necessary for the performance of a contract.
- Article 6(1)(c) so we can comply with our legal obligations such as set out in Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002
- Article 6(1)(d) in order to protect your vital interests or those of another person.
- Article 6(1)(e) for the performance of our public task.
- Article 6(1)(f) for the purposes of our legitimate interest.
Where the information we process is special category data, for example your health data, the additional bases for processing that we rely on are:
- Article 9(2)(a) your explicit consent.
- Article 9(2)(b) which relates to carrying out our legal obligations and the safeguarding of your fundamental rights.
- Article 9(2)(c) to protect your vital interests or those of another person where you are incapable of giving your consent.
- Article 9(2)(g) – where processing is necessary for reasons of substantial public interest
- Article 9(2)(j) for archiving purposes in the public interest.
Sharing personal data
We're required to comply with Data Protection legislation to ensure personal data is managed securely and this is reviewed every year as part of our NHS Data Security and Protection Toolkit assessment.
Any personal identifiable data is sent or received using secure methods such as secure e-mail. All data is stored electronically on encrypted equipment and is managed using the principles of medical confidentiality and data protection. The number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all of whom undertake regular training about data protection and managing personal data.
We will only share data with other areas of the NHS, local authorities or care organisations once the necessary legal basis has been established and data protection safeguards have been verified, so that the data is managed and used under the same restrictions. Anyone who receives information from the Public Health Team is also under a legal duty to keep it confidential.
In relation to births and deaths, the data will only be processed by our employees in fulfilment of their public health function, and will not be transferred, shared, or otherwise made available to any third party, including any organisations processing data on behalf of the council or in connection with their legal function.
Sharing data under Data Protection legislation
We may be required or permitted, under data protection legislation, to disclose your personal data without your explicit consent, for example if we have a legal obligation to do so, such as safeguarding and law enforcement.
Retaining personal data
We only keep hold of personal data for as long as is necessary. This will depend on what the specific information is and the agreed period of time.
Data is permanently disposed of after this period, in line with our retention policy/schedule or the specific requirements of the organisation who has shared the data with us.
At the end of the retention period, we may pass any relevant information to the City Archives where it is required or appropriate to do so.
Further processing of personal data
If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we'll provide you with a new notice.
The new notice will:
- explain this new use before we start the processing
- set out the relevant purposes and processing conditions
Where and whenever necessary, we'll seek your consent to the new processing, if we start to use your personal data for a purpose not mentioned in this Privacy Notice.
Your rights relating to personal data
To find out about your rights under Data Protection law, you can go to the Information Commissioners Office (ICO).
You can also find information about your rights on our website privacy page.
If you have any questions about this Privacy Notice, want to exercise your rights, or if you have a complaint about how your information has been used, please contact us by email: email@example.com or telephone: 01904 554145, or write to the:
Data Protection Officer
City of York Council
When we collect your personal data we'll tell you how we are going to use it. Where we process your personal data, you have a number of rights under data protection law.