This privacy notice is to explain and provide you with information on how we collect and hold data about you. This is in relation to the unprecedented challenges we face because of the Coronavirus pandemic (COVID-19).
You can view the general Brighton & Hove City Council Privacy Notice which has more about how we collect, use and protect personal data generally, as well as your rights as a data subject.
Brighton and Hove City Council is the data controller for purposes of the Data Protection Act (2018) and The General Data Protection Regulation (EU) 2016/679 ("GDPR"), and is registered as a data controller with the Information Commissioner’s Office (ICO).
Brighton & Hove City council are committed to protecting your personal information. As a data controller we have a responsibility to make sure you know why and how your personal information is being collected. This is in accordance with relevant data protection law.
Why we use or process your data
To best respond and help coordinate the community response for COVID-19 it is necessary to collect data about you.
What information we need and how we use it
Whilst we may already hold data about you, you may have provided this information for a specific reason and normally we would seek to inform you that the data provided would be used for a different reason.
Due to the rapidly emerging situation regarding the current pandemic, this will not always be possible. This might include using the contact information we have to send you public health messages, either by phone, text or email.
Additionally, at this time we may ask you for more information, where it is necessary to ensure your safety and well-being. We will, however, ensure that this is limited to what is proportionate and necessary to manage the spread of the virus and safeguard those most vulnerable.
The use of this information is subject to national guidance issued by the Department for Health and Social Care and the Ministry of Housing, Communities and Local Government.
Who we will share your data with
Your data may be shared where we have identified a need to provide support, internally or externally, with local health organisations such as:
- the NHS
- Public Health England
- other local services such as food banks or local support groups
Further information about how health and care data is being used and shared by other NHS and social care organisations in a variety of ways to support the Covid-19 response is below.
What the lawful basis is for processing personal data
Brighton and Hove City Council have recieved information from the Ministry Of Housing, Communities and Local Government and the Department of Health and Social Care.
We have instructions on how to use this information in the current circumstances. Additionally, we receive information containing personal and special category data from the NHS and local support providers.
The Government has issued advice on the sharing of data, they have also provided a link to frequently asked questions about the law.
The Information Commissioners Office and the National Data Guardian have released statements on the use of Health and Social Care data at this time.
About Personal Data
The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful.
The conditions that are relevant are:
- Article 6(1) (c) GDPR - processing is necessary for compliance with a legal obligation to which the controller is subject
- Article 6(1) (d) GDPR - processing is necessary in order to protect the vital interests of the data subject or another natural person
- Article 6(1) (e) GDPR - processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
About Special Category Data
The processing of special categories of personal data, which includes data concerning a person’s health, are prohibited unless specific further conditions can be met, as follows:
- Article 9 (2) (b) GDPR - processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law
- Data Protection Act 2018, Schedule 1, Part 1(1) - employment, social security and social protection
- Article 9 (2) (c) GDPR - processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- Article 9 (2) (g) GDPR - processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued
- Data Protection Act 2018, Schedule 1, Part 2 (6) - statutory and government purposes
- Data Protection Act 2018, Schedule 1, Part 2 (18) - safeguarding of children and of individuals at risk
- Article 9 (2) (h) GDPR - processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health and social care treatment or the management of health and social care systems and services
- Data Protection Act 2018, Schedule 1, Part 1(2) - health and social care purposes
- Article 9(2) (i) GDPR - processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health
- Data Protection Act 2018, Schedule 1, Part 1(3) - processing is necessary for reasons of public interest in the area of public health
The legislation, policies and guidance that relate to this service include, but are not limited to:
- The Civil Contingencies Act 2004 and (contingency planning) Regulations 2005 Allows the local authorities continue to exercise its functions in the event of an emergency
- The Local Government Act 2000 - give powers to local authorities to promote economic, social and environmental well-being
- Care Act 2014 - legal framework for local authorities support an individual’s ‘wellbeing’
- Vulnerable Children’s Act 2014
- Rough Sleeping Strategy 2018
How we store your information
We will only keep your information for as long as it necessary. We will consider Government guidance and the on-going risk presented by Coronavirus and the requirements of public accountability for our response to this emergency.
As a minimum the information outlined in this privacy notice will be kept for the duration of the COVID-19 response. However, in most cases, data will be kept for longer to meet evidential requirements under British statute and common law.
If possible, we will anonymise your personal data so that you cannot be identified. This cannot be done where data is needed to provide direct services to individuals.
When the information is no longer needed for this purpose it will be either deleted or anonymised for statistical purposes.
The Information Commissioner's Office has published its own FAQs on data handling during the pandemic.
If you have any questions about the collection or use of your personal data you can contact our Data Protection Team.
How to make a complaint
We aim to resolve all complaints about how we handle personal information. However, you also have the right to lodge a complaint about data protection matters with the Information Commissioner's Office.
Contact them by post at Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF.
You can also phone 0303 1231 113.
You can make a complaint or find out more information on the Commissioner's Office website.
If your complaint is not about a data protection matter you can find details on how to make a complaint on our website.