Public Health Services privacy notice

Who is the data controller for the information I provide?

Liverpool City Council is the data controller for the information that you provide. The Liverpool City Council Public Health team is committed to protecting your personal information.

Why we are collecting your data

All Local Authorities have a duty to improve the health of the population they serve. To help with this, we use data and information from a range of sources, including data collected at the registration of a birth or death, to understand more about the health and care needs in the area. Public Health teams within Local Authorities are also required to commission and manage services for their population.

Liverpool City Council Public Health team uses personal identifiable information about residents and users of health care, to enable it to carry out specific functions for which it is responsible, such as: 

  • control of infection
  • managements of risks to public health such as the Covid-19 pandemic
  • organising the National Child Measurement Programme
  • organising the NHS Health Check Programme
  • organising and supporting the 0-5 health service and school nursing services.

The Public Health team also uses the information to derive statistics and intelligence for research and planning purposes, which include:

  • producing assessments of the health and care needs of the population, in particular to support the statutory responsibilities of the:
    • Joint Strategic Needs Assessment (JSNA)
    • Director of Public Health Annual report
  • identifying priorities for action
  • informing decisions on (for example) the design and commissioning of services
  • to assess the performance of the local health and care system and to evaluate and develop them
  • to report summary statistics to national organisations
  • undertaking equity analysis of trends, particularly for vulnerable groups
  • to support clinical audits

In these cases, the information is used in such a way that individuals cannot be identified from them and personal identifiable details are removed as soon as is possible in the processing of intelligence on an aggregated level.

What is the legal process for collecting and processing this data?

All organisations must provide a legal basis for processing your information. In most cases this is found under the Data Protection Act 2018, including the General Data Protection Regulation (GDPR).

The Public Health team of Liverpool Council also have a legal status allowing the processing of Personal Confidential Data for certain Public Health purposes. The use of such data will be restricted so that the principles contained in the Data Protection Act 1998 are fully adhered to. The legal basis is:

  • Section 42(4) of the Statistics and Registration Service Act (2007) as amended by Section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.
  • Article 6(1)(c) GDPR - legal obligation.
  • Article 6(1)(e) GDPR - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
  • Article 9(2)(i) GDPR – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy.
  • Where necessary data will be anonymised as defined in Article 4(3b) and under Article 11.

The information we may collect

Liverpool City Council Public Health collects and holds information for public health purposes about:

  • residents of Liverpool
  • people receiving health and care services in Liverpool
  • people who work or attend school in Liverpool

all to whom it has a public health duty of care.

This information is collected in two ways:

  1. It may be provided to us directly by a member of the public when they sign up to use a service we are providing.
  2. It may be shared with us by another organisation due to us being part of a service they are providing, or as part of research and intelligence necessary for Public Health functions, such as informing decisions on the design and commissioning of services. This will include organisations such as Office for National Statistics, NHS Digital, national and local NHS organisations, local authorities and schools.

Personal identifiable information which we either do not request or which we remove even if we have a legal duty to hold includes:

  • contact details
  • NHS number
  • geographic codes such as postcodes for the analysis of health inequalities
  • date of birth
  • information from birth and death certifications (personal identifiable information from NHS Digital used for public health purposes) 
  • information about the provision of Public Health services including: 
    • information about lifestyle behaviours, including data collected from surveys
    • information about disease prevalence including cancer registrations 
    • Information about other health statuses including blood pressure 
    • Information about health and social care use

Liverpool Public Health may also consult with our residents on health issues or to invite comments on some of the statutory work we do such as the Pharmaceutical Needs Assessment. Any personal information collected will be on a voluntary basis and processed under bespoke data sharing agreements.

If Liverpool Public Health was undertaking a piece of research where person identifiable information was required, then the department would follow the correct legal and governance processes.

Do I have to provide this information and what will happen if I don’t?

You do not have to provide this information.

Who will your information be shared with?

Confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations with the permission of the Caldicott Guardian, once the necessary legal basis has been established and data protection safeguards have been verified, so that the data is managed and used under the same restrictions. Anyone who receives information from Liverpool City Council Public Health is also under a legal duty to keep it confidential.

In relation to births and deaths, the data will only be processed by Local Authority employees in fulfilment of their public health function, and will not be transferred, shared, or otherwise made available to any third party, including any organisations processing data on behalf of the Local Authority or in connection with their legal function.

How long will you keep this information for?

We only keep hold of information for as long as is necessary. This will depend on what the specific information is and the agreed period of time. Data is permanently disposed of after this period, in line with Liverpool City Council’s Retention Policy/Schedule or the specific requirements of the organisation who has shared the data with us.

Please see What we do with your data for the council's full retention schedule.

How will my information be stored?

We are required to comply with the Data Protection Act to ensure information is managed securely and this is reviewed every year as part of our NHS Information Governance Toolkit assessment. Any personal identifiable data is sent or received using secure email. All data is stored electronically on encrypted equipment and is managed using the principles of medical confidentiality and data protection. The number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all who undertake regular training about data protection and managing personal information.

Will this information be used to take automated decisions about me?

No

Will my data be transferred abroad?

No

What rights do I have when it comes to my data?

You have a number of rights that are set out on the How to access your data page of this section.

As with the Data Protection Act, the GDPR provides for a number of rights for the data subjects that can be found in section 3. Whilst Liverpool Public Health have a legal and justifiable basis for collecting and processing your data it must be done so in a manner that is proportional and secure.

Deceased data subjects are not subject to DPA and GDPR, however we recognise that a duty of confidentiality may still exist when and will be mindful of this obligation when dealing with their information.

How to opt out

You have the right to opt out of Liverpool City Council Public Health receiving or holding your personal identifiable information.

There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues.

The process for opting out will depend on the specific data is and what programme it relates to. For further information, please contact the Public Health team by email PublicHealth@liverpool.gov.uk, or in writing to Liverpool Public Health, Liverpool City Council, Cunard Building, 3rd Floor, Pier Head, Water Street, Liverpool L3 1DS.

Where can I get advice?

View our Help and advice page for more information.