Health and Adult Social Care privacy notice

Read our privacy notice for information on how we collect, store and process your data.

The data controller for your data

Brighton & Hove City Council is the data controller for purposes of the Data Protection Act (2018) and the General Data Protection Regulation (EU) 2016/679 ("GDPR") and is registered as a data controller with the Information Commissioner’s Office (ICO).

Brighton and Hove City Council are committed to protecting your personal information. As a data controller we have a responsibility to make sure you know why and how your personal information is being collected in accordance with relevant data protection law.

Why we’re collecting your data

Health and Adult Social Care directorate may collect your personal data in order for us to work out what you need and then how best we can support you, your health and wellbeing. Health and Adult Social Care comprises of social care professionals, public health professionals, providers services and hostels. Your information and feedback also helps us plan our services, investigate complaints, legal claims and incidents of concern.  Our services may be directly provided by us, by one of our partners such as NHS or in partnership with another agency such as private care home providers.

We carry out our duties and powers in line with various pieces of legislation to assess your needs and provide support and guidance.

What is the Legal Basis for collecting your Data

Our legal basis for collecting and processing your data is to fulfil our legal obligations and when it is considered necessary to enable us to carry out our tasks, functions, duties or powers or to perform a task carried out in the public interest. This is in line with GDPR Article 6,1 (c & e).

We will also need to process your special category data where it is necessary for the provision of health or social care, where there is a substantial public interest or where we are protecting public health. This is in line with GDPR Article 9,2 (g), Data Protection Act 2018 Schedule 1, Part 2, Part 2 Paras 6, 8, 17, 18 and 19 and GDPR Article 9,2 (h), Data Protection Act 2018 Schedule 1, Part 1, Para 1, 2 and 3 and GDPR Article 9, 2(i).

Where we rely on seeking your Consent to process your data, we will ask on an individual basis.

In addition to working within strict compliance with data protection legislation, Health and Adult Social Care also work within the below legislation and regulations:

  • Care Act 2014, Care and Support Statutory Guidance
  • Health and Social Care Act 2008
  • Mental Health Act 1989, associated Codes of Practice
  • Mental Capacity Act 2005 and Deprivation of Liberty Safeguards
  • The Care and Support (Discharge of Hospital Patients) Regulations 2014
  • Localism Act 2011
  • Equalities Act 2010
  • Chronically Sick and Disabled Persons Act 1970
  • Children Act 2004
  • Local Government Act 1974 and 1999
  • The Housing Grants, Construction and Regeneration Act 1996
  • Care Homes Regulations 2001
  • Homelessness Reduction Act 2017
  • The Care Quality Commission (Registration) Regulations 2009
  • The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009
  • The Local Authority (Public Health, Health and Wellbeing Boards and Health Scrutiny) Regulations 2013

The data we may collect

The type of information collected from you is as follows:

Personal Data

  • Contact details; including name, address, email address, telephone number, etc.
  • Date of birth
  • National identifiers such as; NI numbers, NHS numbers
  • Information about your family
  • Social and personal circumstances
  • Financial details for purposes of receiving or making payments
  • Photographs/ proof of identity

Special Category Data

We may also collect Special Category (sensitive data) of personal data that may include:

  • Physical and mental health details
  • Racial or ethnic origin
  • Gender and sexual orientation
  • Religion
  • Offences (including alleged offences)
  • Criminal proceedings, outcomes and sentences

Who we’ll share your data with

Staff within Health and Adult Social Care will have access to your information. This stops you having to explain things more than once. Your data may also be shared with staff from other council services such as housing or benefits teams where relevant. We may also share your data with health professionals such as your doctor, district nurse or hospital staff and your carers. We will only share your data with relatives where we have a duty to or where you have agreed we can. We will share your data with external organisations such as Care Agencies, local voluntary support services or other local authorities who are involved in your care now or where you are moving to a new local authority.

The council operates shared services with Surrey County Council and East Sussex County Council.  We may share your information with one of these partners if necessary, to provide these services.

How long we’ll keep data for and why

The amount of time we will keep your data depends on what services you receive from us and the legal basis for processing that data. There are laws that state the length of time we need to keep your data for and in certain circumstances, this may be indefinitely. 

However, the Principles we will use to determine how long your data will be kept include:

  • What type of services you received and whether you are still receiving them
  • Whether we still are still under a legal obligation either to you or under UK Law
  • Any standards and guidance set out by the various regulators for our functions

How your data will be stored

We have a responsibility by law, under the UK Data Protection Act 2018 and the General Data Protection Regulations, to keep your information secure and confidential and to only process it for the purposes for which is was obtained.

Your information will be stored electronically and/or on paper records and we will only make your information available to those who have a right to see it.

Example of the security measures we used are: -

  • Training for our staff allows us to make them aware of how to handle information and how and when to report when something goes wrong
  • We use Encryption- meaning that information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code. The hidden information is said to then be ‘encrypted’.
  • Pseudonymisation- meaning that we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours.
  • Controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it.
  • Regular testing of our technology and ways of working including keeping up to date on the latest security updates (commonly called patches).

Transferring Data outside the European Economic Area

Your data will not be transferred outside the European Economic Area

Your rights

Depending on the legal basis for processing your information you may have the following rights:

  • A right to a copy of data held about you, an explanation for its processing and who it has been shared with – this right applies to data processed under any lawful basis
  • A right to rectification (correction) of data which is demonstrably wrong – this right applies to data processed under any legal basis
  • A right to restrict processing – this right applies if it has been shown that there is no legal basis for processing your data, but you wish it to be retained for your own purposes
  • A right to object to processing – this right does not apply where the Council is under a legal duty to process your data but can be used where you dispute that there is a legal basis to process your data. In this circumstance, the Council is required to weigh its lawful basis for processing your data against your objection and provide you with a response.
  • A right to erasure – this applies where there is no longer a legal basis to retain your data.
  • A right to portability of your data (having it moved to another organisation) – this right applies only where the legal basis was either consent or performance of a contract, but data will usually be transferred to another local authority if a data subject moves to a new location.

NHS Confidential Patient Information- National Data Opt Out

Health and care staff may use your confidential patient information to help with your treatment and care, this data can also be used to help with research and planning. There are strict rules about how NHS can use your data and it's only shared securely and safely. However, you can opt out of NHS confidential patient information being used for purposes beyond your individual care and treatment. You can change your national data opt-out choice at any time by visiting the NHS website.

How to get advice or make a complaint

If you wish to discuss any of your data protection rights, you can contact the Data Protection Team on 01273 295959 or by email at

The council has also appointed a Data Protection Officer. Contact the Data Protection Officer online.

Whilst we would prefer that you contact us first with any concerns that you might have, you can also contact the Information Commissioner’s Office.  The ICO is the national regulator with responsibility for ensuring compliance with data protection.

Information Commissioner’s Office

You also have the right to lodge a complaint with a supervisory authority.

The ICO can be contacted through their website

Alternatively you can call: 0303 123 1113

You can also write to them at: Information Commissioner’s Office, Wycliffe House, Water Ln, Wilmslow SK9 5AF

This Privacy Notice will be subject to review when there is a change.