Your council

Public Health Privacy Notice

We keep the Public Health Privacy Notice under review. It was last reviewed and updated in May 2022.

If you have any questions about this Privacy Notice contact the council’s Data Protection Officer.

View the privacy and transparency information for all of the City of York Council (CYC).

Personal data

Since April 2013 the Health and Social Care Act 2012 has given local authorities the power to perform public health functions. This means that we have "a duty to improve the health of the people and responsibility for commissioning appropriate public health services" and the statutory responsibilities for public health services are clearly set out in the Health and Social Care Act 2012.

To deliver public health, local authorities need to use available health data sources to get relevant health and social care information. This data can contain person identifiable data (PID) which may identify patients such as:

  • name
  • address
  • age
  • sex
  • ethnicity
  • disease
  • use of hospital services
  • NHS Number

Some data may not be obviously identifiable; however there may be the potential to identify individuals through combinations of information, either by the people handling the data or by those who see published results.

See further details about how we define personal data and non-personal data.

Collecting personal data

We collect and hold personal data for public health purposes about:

  • residents of York
  • people receiving health and care services in York
  • people who work or attend schools in York

We have a public health duty of care to all of these groups.

Primary Care Mortality Database (PCMD)

We have access to the PCMD, which holds:

  • mortality data as provided at the time of registration of the death
  • additional GP details
  • geographical indexing
  • coroner details where applicable

Births and Vital Statistics datasets

We have access to births files, which include:

  • date of birth
  • sex
  • birth weight
  • address
  • postcode
  • place of birth
  • stillbirth indicators
  • age of mother

Deaths data

We have access to deaths data, which includes deaths broken down by:

  • age
  • sex
  • area
  • cause of death sourced from the deaths register

Using personal data

The Public Health Team will access health and related personal data to analyse the health needs and outcomes of the local population and for monitoring trends and patterns of diseases and the associated risk factors.

All information accessed, processed and stored by the Public Health Team will be used to measure the health, mortality or care needs of the population.

The information is used for planning, evaluating, monitoring, protecting and improving public health. It's used to carry out and support:

  • health needs assessments
  • health equity analysis
  • commissioning and delivery of services to promote health and prevent ill health
  • public health surveillance
  • identifying inequalities in the way people access services
  • joint strategic needs assessment
  • health protection and other partnership

The Public Health team is committed to using pseudonymised or anonymised information as much as is practical, and in many cases this will be the default position.

  • Pseudonymisation is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. The purpose is to render the data record less identifying and therefore lower customer or patient objections to its use
  • Anonymisation is the process of removing identifying particulars or details from something, especially medical test results, for statistical or other purposes

Our legal basis for using personal data

The legal basis for the collection and processing of information is set out in Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

Sharing personal data

We're required to comply with Data Protection legislation to ensure personal data is managed securely and this is reviewed every year as part of our NHS Information Governance Toolkit assessment.

Any personal identifiable data is sent or received using secure e-mail. All data is stored electronically on encrypted equipment and is managed using the principles of medical confidentiality and data protection. The number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all of whom undertake regular training about data protection and managing personal data.

Confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations with the permission of the Caldicott Guardian, once the necessary legal basis has been established and data protection safeguards have been verified, so that the data is managed and used under the same restrictions. Anyone who receives information from the Public Health Team is also under a legal duty to keep it confidential.

In relation to births and deaths, the data will only be processed by our employees in fulfilment of their public health function, and will not be transferred, shared, or otherwise made available to any third party, including any organisations processing data on behalf of the council or in connection with their legal function.

Sharing data under Data Protection legislation

We may be required or permitted, under data protection legislation, to disclose your personal data without your explicit consent, for example if we have a legal obligation to do so, such as for:

  • law enforcement
  • fraud investigations
  • regulation and licensing
  • criminal prosecutions
  • court proceedings

We must protect public funds and may use personal data and data-matching techniques to detect and prevent fraud, collect taxes and ensure public money is targeted and spent in the most appropriate and cost-effective way. To do this, your information may be shared with other bodies responsible for auditing or administering public funds, including the Department for Work and Pensions, HM Revenue and Customs, the Police and other local authorities.

Retaining personal data

We only keep hold of personal data for as long as is necessary. This will depend on what the specific information is and the agreed period of time.

Data is permanently disposed of after this period, in line with our retention policy/schedule or the specific requirements of the organisation who has shared the data with us.

At the end of the retention period, we may pass any relevant information to the City Archives where it is required or appropriate to do so.

Further processing of personal data

If we wish to use your personal data for a new purpose, not covered by this Privacy Notice, then we'll provide you with a new notice.

The new notice will:

  • explain this new use before we start the processing
  • set out the relevant purposes and processing conditions

Where and whenever necessary, we'll seek your consent to the new processing, if we start to use your personal data for a purpose not mentioned in this Privacy Notice.

Your rights relating to personal data

You have the right to opt out of us receiving or holding your personal identifiable data. The process for opting out will depend on the specific data and what programme it relates to. For further information, please contact the Public Health team by email at

When we collect your personal data we'll tell you how we are going to use it. Where we process your personal data, you have a number of rights under data protection law.

See further details of your rights relating to personal data.

Also see

Data Protection Officer

West Offices, Station Rise, York, YO1 6GA

Telephone: 01904 554145