Public Health and Communities privacy notice

This privacy notice tells you what information Public Health and Communities collects and uses, and your rights regarding your information.

The Public Health and Communities directorate use data and information from a range of sources to exercise our statutory public health functions. The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), collectively referred to as data protection law. Suffolk County Council is the controller for the personal information that is being processed.

If you have any queries about how the team is collecting or using your personal data, you can contact Public Health and Communities via: HealthandWellbeing@suffolk.gov.uk. Contact details for the Council’s Data Protection Officer and Compliance Manager can be found in the council’s corporate privacy notice.

The types of personal data that we process and where it comes from

The team works with many types of data to be able to promote health and support improvements in the delivery of health and care services in Suffolk. This includes processing:

Identifiable data, and data which would potentially identify a living person (this is known as personal data) as well as non-identifiable data.

The Public Health directorate obtains data from different organisations. This includes (list not exhaustive):

  1. Hospital Episode Statistics (HES) from NHS England
  2. Primary Care Mortality Database (PCMD) from NHS England
  3. Births data tables from NHS England
  4. Commissioned Services data including Provide Community from the 1 May 2024 (Suffolk Sexual Health Service), Turning Point in partnership with Anglia Care Trust and Iceni (integrated treatment and recovery service for drug and alcohol misuse), Feel Good Suffolk (stop smoking, weight management)
  5. Specialised reviews from relevant teams in SCC and the NHS as required for the purpose of the review
  6. Population Health Management data from local and national data sources from health and care providers
  7. UK Health Protection Agency (e.g. to deal with disease outbreaks).
  8. Suffolk Office for Data & Analytics (this includes data from Suffolk County Council and other Suffolk organisations)

Note: All of the above organisations have their own privacy notices which set out why they need to share this data.

Why do we process your personal data?

We use the data to exercise our statutory Public Health and Communities functions, which include:

  • Planning and commissioning services
  • Improving the quality and effectiveness of commissioned services
  • Reviewing and assessing the performance of the local health and care system and to evaluate and develop it
  • Investigating incidents and in the management of risks to Public Health and Communities
  • Approving evidence-based interventions
  • Controlling infection
  • The National Child Measurement Programme
  • The NHS Health Check Programme
  • Supporting health visiting and school nursing services

This information is used to produce data and intelligence about the health and care needs of Suffolk residents, including:

Our legal basis for processing your information

Personal data

Under data protection law, we can only process your personal data if it is lawful to do so. For processing personal data, we rely on the following lawful basis(es):

  • UK GDPR Article 6(1)(e) – where processing is necessary for us to perform a task which is in the public interest (public task)

Special category data

When we process special category data, we rely on the following additional lawful basis(es):

  • UK GDPR Article 9(2)(h) – where processing is necessary for the provision of health and/or social care purposes (Schedule 1, Part 1, section 2, DPA 2018)
  • UK GDPR Article 9(2)(i) – where processing is necessary for reasons of public interest relating to matters of public health (Schedule 1, Part 1, section 3, DPA 2018)

Sharing your information

We share your personal information with other organisations and public bodies only where it is lawful and where there are pre-agreed information sharing agreements in place. This includes:

  • Health bodies and providers including local GPs, hospitals, mental health trust and community health and care trust
  • Other local authorities
  • UK Health Security Agency (reporting communicable diseases and other risks to public health)

Whether we intend to transfer your information to another country

We do not transfer any personal data to any countries or international organisations outside of the EU, the EEA (European Economic Area), or any other country that does not have an equivalent level of data protection to the UK.

How long we keep your information

We keep personal data for as long as we need it to fulfil the purpose that it was collected for, and in line with any statutory or locally determined retention periods as agreed with the organisations that provide the data. All the data we process is kept safely and securely within our IT systems. At the end of the retention period data is securely destroyed.

Automated decision-making and profiling

We do not use automated decision-making processes or profiling in respect of your information as defined by GDPR/DPA.

Your rights under data protection law

Under data protection law, you have the right to request access to the information that we hold about you. If you would like to make a request to access your personal information, please contact data.protection@suffolk.gov.uk. You also have other rights regarding your personal data. You can find out more information about these rights by looking at the council’s corporate privacy notice.

Your right to independent advice

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House,

Water Lane,
Wilmslow,
Cheshire
SK9 5AF

Telephone: 0303 123 1113
Email: casework@ico.org.uk