Fair processing notices - Privacy Notice, Coronavirus (COVID-19)

How we use your data

This privacy notice explains how we use information we hold about you (including new information that we will be collecting) in relation to the unprecedented challenges we face in responding to the Coronavirus pandemic (COVID-19).

This notice is specifically for our COVID-19 response.  The privacy notices for the work generally carried out by our individual services can be found below and continue to apply alongside this notice. Your rights under data protection law and how to exercise them is covered in these notices.

Fair processing notices

What information do we hold and collect and how will we use it?

In order to best respond and help coordinate the community response to COVID-19 it may be necessary to use details about you including your name, address, telephone number and email address.

We may also need to use more sensitive personal information, some of which we already hold and some we may have to ask you for, for example, your age or if you have any underlying illnesses or are vulnerable. This is so we can assist you and prioritise our services.

These details may include your:

  • name;
  • contact information (home address, telephone number, email address);
  • NHS number;
  • health and social care data, including ‘confidential patient information’;
  • information relevant to your needs during the outbreak or your support needs if you are a carer;
  • Information about what support you can provide to others.

We may also ask you for information to help us identify and understand about those suffering with, or at risk of suffering with, COVID-19; information about incidents of exposure to COVID-19 and the management of outbreaks of or the risk of COVID-19 including locating, contacting, screening, flagging and monitoring such incidents and collecting information about and providing services in relation to testing, diagnosis, self-isolation, fitness to work, treatment, medical and social interventions and recovery from COVID-19.

Whilst we may already hold data about you, you may have provided this information for a specific reason and normally we would seek to inform you that the data provided would be being used for a different reason, however, due to the rapidly emerging situation regarding the current pandemic this will not always be possible.

An example of this is where you have provided us with your email address. At this time, it is in the council’s and the public’s legitimate interest to keep you informed of matters. As a consequence, your email address may be used to keep you informed of specific matters including, but not limited to, relating to covid-19 interventions and impacts, availability and delivery of council run services or those offered by or working in partnership with the council.

Additionally, at this time, we may seek to collect and process information from you, which is above and beyond what would ordinarily be collected. This is necessary to ensure your safety and well-being, however we will ensure that this will be limited to what is proportionate and necessary, in accordance with Government guidance, to manage and contain the virus and enable us to effectively keep people safe, put contingency plans into place to safeguard those who are vulnerable and to aid business continuity.

We aim to:

  • understand COVID-19 and the risks to public health, trends in COVID-19 and such risks, and controlling and preventing the spread of COVID-19 and such risks;
  • identify and understand information about patients or potential patients with or at risk of COVID-19, information about incidents of patient exposure to COVID-19 and the management of patients with or at risk of COVID-19 including: locating, contacting, screening, flagging and monitoring such patients and collecting information about and providing services in relation to self-isolation, fitness to work, social interventions and recovery from COVID-19;
  • understand information about patient access to health services and adult social care services and the need for wider care of patients and vulnerable groups as a direct or indirect result of COVID-19 and the availability and capacity of those services or that care;
  • monitor and manage the response to COVID-19 by health and social care bodies and the Government including providing information to the public about COVID-19 and its effectiveness and information about capacity, equipment, supplies, services and the workforce within the health services and adult social care services;
  • deliver services to service users, vulnerable individuals, patients, clinicians, the health services and adult social care services workforce and the public about and in connection with COVID-19, including the provision of information and the provision of health care and adult social care services;
  • research and plan in relation to COVID-19; and
  • help understand the response to an emergency and build lessons learnt.

We will also use your data to better understand the services we provide and to help us build those services for the future. We may also use your data to identify if our services are fulfilling our legal obligations.

What is the lawful basis for processing personal data?

The Secretary of State for Health and Social Care has served notice on the City Council under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) requiring the Council to process confidential patient information for purposes set out in Regulation 3(1) COPI, and as set out in the notice.

The council will collect and use your personal information for specific reasons in order to manage and mitigate the spread and impact of the current outbreak of COVID-19.  These include:

  • for the purposes of research,
  • to protect public health,
  • to provide public health and social care services to the public, and
  • to monitor and manage the COVID-19 outbreak and incidents of exposure.

The legal basis for processing your personal data will be as follows:

Article 6 of the GDPR - lawful basis for processing personal data:

  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary for the performance of task carried out in the public interest
  • Processing is necessary in order to protect the vital interests of data subjects

We also consider that the following criteria is met:

Article 6(1)(d) GDPR - processing is necessary in order to protect the vital interests of the data subject or another natural person.

Recital 46 adds that "some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread".

Article 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

Article 9 of the GDPR - condition for processing special category personal data:

  • Processing is necessary for reasons of public interest in the area of public health

The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met as follows:

Article 9(2)(i) GDPR – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.

Schedule 1, Part 1(3) Data Protection Act 2018 – processing is necessary for reasons of public interest in the area of public health, and is carried out by or under the responsibility of a health professional, or by another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.

Article 9(2)(g) GDPR - processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

The legislations, policies and guidance that relate to this service include, but are not limited to:

The Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 allow the local authorities to continue to exercise its functions in the event of an emergency

Care Act 2014 - legal framework for local authorities support the individual’s ‘wellbeing’

Who are we likely to share this information with?

In this current pandemic, we may share your personal data internally within our various departments and services as well as externally with other public authorities, emergency services and other stakeholders as necessary and proportionate.

It will be necessary at this time for us to partner with other organisations, redeploy our staff and carry out legal obligations and public tasks that we do not usually do, so your personal data may be shared with people who do not normally have it, but this will only be done where there is a legitimate, legal reason to do so.

The parties we may share your data with include, but are not limited to:

  •  our service providers;
  • the Department of Health and Social Care, and all arm’s length bodies of the department;
  • other relevant central government departments;
  • police forces
  • GP practices;
  • health and care organisations and individual health and care professionals
  • NHS Digital;
  • NHS England;
  • NHS Improvement;
  • Other local authorities where relevant;
  • Community Groups;
  • Volunteers and charities;

Storing your information

We will only keep your information for as long as is necessary, taking into account Government advice and the on-going risk presented by Coronavirus. As a minimum the information outlined in this privacy notice will be kept for the duration of the COVID-19 response.

Where possible we will anonymise your personal data so that you cannot be identified.

When the information is no longer needed for this purpose, it will be securely deleted.

Further information

The Information Commissioner’s website, www.ico.org.uk, provides further information to individuals and organisations about the processing of personal data at this time.

Who to contact if you have questions

Write to the information rights team at foi@stoke.gov.uk or Information Rights Team, Floor 2, Civic Centre, Glebe Street, Stoke-on-Trent ST4 1HH 
 
If you wish to complain about how your personal information has been handled by the city council contact the information rights team in the first instance, on the details provided above.

If you remain dissatisfied then the Information Commissioner’s Office can be contacted.

Information Commissioner's Office website

You have the right to contact the Information Commissioner’s Office at any time.