COVID-19 privacy notice
This privacy notice is to provide you with information about how Surrey Heath Borough Council may seek to collect and use information about you in relation to the unprecedented challenges we are all facing during the Coronavirus pandemic (COVID-19), which is above and beyond what would ordinarily be collected in order to ensure your safety and well-being.
Such information will be limited to what is proportionate and necessary, taking into account the latest guidance issued by the Government and health professionals, in order to manage and contain the virus.
It will enable the Council to effectively fulfil our functions to keep people safe, put contingency plans into place to safeguard those vulnerable and aid business continuity.
Who is the Data Controller for this processing?
Surrey Heath Borough Council and Selected Health and Care Providers are the Data Controllers for this processing.
What personal information do we hold?
In order to best respond and help coordinate the community response for COVID 19 it is necessary to collect basic details about you including;
- Information about you, this could include your name, address, date of birth, mobile telephone number and email address.
- National identifiers such as NHS number, National Insurance number etc.
- Information about your family and your next of kin
- Details about your lifestyle and social circumstances
- Physical or mental health details
- Social Care support outcomes
We may also need to collect details about your health to identify if you (or those closely linked to you) are in any of the high-risk categories and would be considered vulnerable, if infected with Coronavirus.
We only collect and use the minimum amount of personal information required when delivering a service to you.
Wherever possible we use non-identifiable personal information.
We get most of this information from you, but we may also get some of this data from:
- Central Government Agencies including Public Health England, Department of Health and Social Care
- NHS Digital
- Other Local Authorities
- Health and social care providers
- Police and probation services
- Members of the public (referrer)
- Commissioned partners
- Family members and your next of kin
How do we use your personal information?
We use your information for one or more of the following reasons:
- Deliver the service, or handle your query
- Connect you to support in the community as part of the COVID-19 response.
- To plan and improve the services we offer
- To process business grants to sole traders, individual trustees, partners or other named persons
- Contacting local residents who are clinically extremely vulnerable in order to facilitate the provision of emergency aid (eg, food and medicines), or other appropriate assistance (eg, social contact).
- Enforcement action, this can be taken against someone where they either (i) test positive for Coronavirus, or (ii) have been identified by NHS Test and Trace as having been in close contact with someone who has tested positive for Coronavirus, and, in either case, where that person is not self isolating as required by law. Any enforcement action that results, - pursuant to the Health Protection (Coronavirus, Restrictions) (England) No 3 Regulations 2020, will be taken for and on behalf of Surrey County Council, who will be the data controller. Please refer to Surrey County Council’s Privacy Notice for further information.
- To help control local outbreaks of coronavirus infection - To ensure that individuals that have tested positive for COVID 19 are contacted to provide them with advice and to gather intelligence on others with whom they may have been in contact in order to help stop the spread of the virus, your contact information may be shared between Surrey County Council and the national Contact Tracing Service commissioned by Department of Health and Social Care (DHSC).
As part of the response to Covid-19 outbreak sometimes we may need to share your information.
Where we do share your information we will only do so where we have your consent or where we are required to do so under additional legal requirements, for example to assist the government in containing the spread of Covid-19, to safeguard public safety, and in risk of harm or emergency situations.
Any information which is shared will only be shared on a need to know basis, with appropriate individuals. Only the minimum information for the purpose will be shared.
Where we may need to share your information:
- Health service providers including NHS Agencies (GPs, Hospitals, Ambulance, Health Visitor, Mental Health Services)
- Care providers, e.g. day care, domiciliary, residential
- Government Agencies (e.g. Department of Health, Department of Work and Pensions)
- Support groups for people with disabilities
- Local Government
- Surrey Heath Prepared
- Local Charities
- Landlords where households have been placed in emergency accommodation
What is the legal basis for our use of your personal information?
The Local Authority can receive and process data for the agreed purposes under a notice issued to the Local Authority by the Secretary of State for Health and Social Care under Regulation 3(4) of the Health Service Control of Patient Information Regulations (COPI) as the Local Authority is an organisation covered by Regulation 3(3) of COPI and the agreed purposes for which the data is being used by the Local Authority is covered by Regulation 3(1) of COPI.
The legal basis under GDPR for processing the data is that it is in the public interest for us to deal with the outbreak of Covid-19.
The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful. These relevant conditions are below:
- Article 6(1)(c) – Legal obligation to receive and process shielded patient from NHS Digital for the agreed purpose under the COPI Notice
- Article 6(1)(d) – is necessary in order to protect the vital interests of the data subject or another natural person.
- Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
- Article 6(1)(e) – is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met. These further relevant conditions are below:
- Article 9(2)(i) – is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
- Schedule 1, Part 1(3) – is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law, e.g. Governmental guidance published by Public Health England
How long will we keep your personal information?
The Council will only keep your information for as long as it necessary, taking into account of Government advice and the on-going risk presented by Coronavirus.
Information provided in relation to this outbreak of Coronavirus will not be used for any other purpose, including to be held within personnel files ‘just in case’ it may be needed again.
When the information is no longer needed for this purpose, it will be securely deleted.
How we handle data security
We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.
How we handle data breaches
We have put in place procedures to deal with any suspected personal data breach and will notify you and any applicable regulator of a breach where we are legally required to do so.
Under data protection law, you have rights including:
- Your right of access - You have the right to ask us for copies of your personal information.
- Your right to rectification - You have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
- Your right to restriction of processing - You have the right to ask us to restrict the processing of your information in certain circumstances.
- Your right to object to processing - You have the right to object to the processing of your personal data in certain circumstances.
- You are not required to pay any charge for exercising your rights. If you make a request, we have one month to respond to you.
Please see Your Legal Rights section of the main Privacy Notice.
How to complain if you are unhappy about how your data is used
You can complain directly to the Council's Data Protection team by email firstname.lastname@example.org
If you remain dissatisfied with how the Council has handled your data you can complain to the Information Commissioners Office (ICO);
- By post: The Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF
- Telephone: 0303 123 1113
Transferring data outside of the EEA
We do not transfer your personal data outside the European Economic Area (EEA)