Food safety, health and safety, and infectious diseases privacy notice

Brighton & Hove City Council is committed to protecting your personal information. As a data controller we have a responsibility to make sure you know why and how your personal information is being collected in accordance with relevant data protection law

The primary laws which govern how Brighton & Hove City Council collects and use personal information (known as “Data”) about you are:

General Data Protection Regulation (GDPR)
Data Protection Act (DPA) (2018)

However, Food Safety and Health & Safety is also subject to other specific laws which define when and for what purposes it can use your personal data.

Why we’re collecting your data

In order for the Food Safety and Health & Safety Teams, including Infectious Diseases, to function throughout the City of Brighton & Hove we must collect and process personal and special category data.

We may collect and process data in order to register food businesses. Once a food business is registered or approved we will use the information to carry out inspections to issue food hygiene ratings. Information collected will also be used for communication purposes in relation to food businesses and food safety.

The Food Safety Team will also collect data when dealing with importing and exporting food. Information gathered is used to approve whether food can enter or leave the United Kingdom.

We may also process data to provide our Principles of Food Safety training to those who are involved with a food business. As there is a cost to attending the course we would be processing financial information.

When dealing with food business and food safety matters the council has a duty to enforce the Food Safety Act 1990, as well as duties from the Official Food and Feed Control (England) Regulations 2009. We also have powers under this act to provide the training, as mentioned above.

Data is collected to inspect and investigate matters related to health and safety around the city of Brighton and Hove. Information gathered in our investigations may also be used for enforcement action, including prosecution. Areas that would result in inspections or investigations include, but are not limited to, asbestos, under age piercing and tattooing, reports of issues at places of work and the holding of events.

All work carried out in relation to health and safety matters is done to fulfil duties under the Health and Safety at Work Act 1974.

Information is also collected and processed in order for the council to plan, prepare and respond to outbreaks of infectious diseases. Data will be used for investigations and service provision for the purposes of public health protection and may lead to enforcement action. Part of our investigations may result in taking samples for evidence.

The council has duties under the following pieces of legislation when dealing with infectious disease matters:

  • Public Health (Control of Diseases) Act 1984
  • Public Health Act 1936

The council also has duties and powers from the Health Protection (Local Authority Powers) Regulations 2010.

Data may be collected and processed in order to respond appropriately to complaints or queries from the public and business. Information provided may be used in investigations and enforcement action, as well as for communication purposes in relation to the complaint or query.

Where it is necessary to process special category data, our lawful basis for doing so is under special category data, specifically within the Data Protection Act (2018) Schedule 1, Part 2, Paragraph 6 ‘Statutory etc. and government purposes’; and Paragraph 12 'Regulatory requirements relating to unlawful acts and dishonesty etc.'

The data we may collect

Personal Data

  • contact details; including name, address, email address, telephone number, etc.
  • date of birth
  • financial details for purposes of receiving or making payments
  • licenses or permits held
  • business activities

Special Category

  • physical or mental health details
  • racial or ethnic origin
  • offences (including alleged offences)
  • criminal proceedings, outcomes and sentences

Who we’ll share your data with

Your information may be shared internally with other Regulatory Service Teams, Legal Services, Events Team, Schools, Communications Team, Financial Services and Customer Service Team.

Your information may also be shared externally with other local authorities, Food Standards Agency, the courts, food businesses or their representative, Public Health Lab, Public Analyst, Public Health England, Department for Environment, Food & Rural Affairs, the press, border control including that of other nations and their local authorities, Highfield Qualification, David Taylor Training, produce manufacturers, East Sussex Fire and Rescue Service, Immigration, Police and Her Majesty’s Revenue and Customs.

Data that is shared is always done:

  • on a case-by-case basis
  • using the minimum personal data necessary to provide the service
  • with the appropriate security controls in place
  • in line with legislation

Information is only shared with those agencies and bodies who have a need to know or where you have consented to the sharing of your personal data.

We may use the information we hold about you to assist in the detection and prevention of crime or fraud. We may also share this information with other bodies that inspect and manage public funds.

Holding your personal information

We will not keep your data for longer than is necessary, subject to any legal obligations we have to retain the data. How long we keep it will vary according to the services you are involved with and the lawful basis for processing within those services.

The principles we use to determine how long your data will be kept include:

  • the type of services you received and whether you are still receiving them
  • whether we still are still under a legal obligation either to you or under UK Law
  • any standards and guidance set out by the various regulators for our functions
  • whether you have expressed a preference that your data be retained, such as exercising your right to restricted processing

Information relating to a food business will be kept for 6 years from when the food business has closed.

If you have attended the Principles of Food Safety training, your data will be kept for 3 years.

Data from complaints and queries relating to food safety will be kept for 6 years from when the matter has been dealt with. If there is no further action from a complaint or query then it would be kept for one year from the date of contact.

Information relating to the exporting or importing of foods is kept for 6 years from generation.

Information relating to health and safety matters will either be kept for 6 years from close of business, or from when the matter has been dealt with (if not relating to a business). If the data is from a complaint or query and there is no further action, we would keep it for one year from the date of contact.

For data relating to infectious diseases, normal investigations will be kept for 6 years from close of investigation for those who are over 18. If the investigation involves someone under 18, we would keep information until their 21st birthday plus 6 years. Information held that relates to an infectious disease outbreak must be kept for 10 years and if death related, 20 years from the date of death.

How your data will be stored

Your information will be stored on electronic databases, document management systems and on paper records.

Who can access your data

We will only make your information available to those who have a need to know in order to perform their council role.

How we protect your data

Examples of our security measures:

  • training for our staff, making them aware of how to handle information securely and how and when to report when something goes wrong
  • we use encryption when data is being sent, meaning that information is scrambled so that it cannot be read without access to an unlock key. The hidden information is said to then be ‘encrypted’
  • where possible, data will be pseudonymised, meaning that your identity will be removed, so that work can be done without your identity being known by the people doing that work
  • controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
  • regular testing of our technology and ways of working, including keeping up to date on the latest security updates (commonly called patches)

Transferring data outside the European Economic Area

The only information that is processed outside of the European Economic Area are food businesses email addresses. We use an email service provider, MailChimp, to send our email updates. The mailing list is maintained on MailChimp servers in the United States of America. Read more information on their terms and conditions. MailChimp has signed up to the EU/US Privacy Shield.

All other information handled by the Food Safety, Health & Safety and Infectious Disease Team is not transferred or processed outside of the European Economic Area.

Your individual rights

In relation to your personal information you have the right:

  • to be informed – you have the right to know about the collection and use of your personal data. We will inform you through our service-specific notices
  • of access – you can request to know what we hold on you along with an explanation for how it is used by making a Subject Access Request
  • to rectification – you have the right to ask us to update, amend or change your information if it is factually inaccurate or incomplete
  • to restrict processing – you have the right to request that we limit using your personal data for specific purposes if you do not believe we have a lawful basis for a particular purpose or where you consider the data to be incorrect. Upon receiving a restriction request, we are obliged to consider our use of the data and provide you with a response
  • to object – you have the right, in certain circumstances, to object to us collecting, using and storing your information. Upon receiving a request of this type, we are required to stop using your data while we investigate and provide a response

How to get advice or make a complaint

Data protection contacts

If you wish to discuss any of your data protection rights, you can contact the Data Protection Team on 01273 295959 or by email at data.protection@brighton-hove.gov.uk

Contact the council's Data Protection Officer 

Whilst we would prefer that you contact us first with any concerns that you might have, you can also contact the Information Commissioner’s Office. The ICO is the national regulator with responsibility for ensuring compliance with data protection.

Information Commissioner’s Office

You also have the right to lodge a complaint with a supervisory authority. Contact details for the ICO is stated below:

You can contact the ICO:

  • on their website
  • by telephone: 0303 123 1113
  • by post: Wycliffe House, Water Ln, Wilmslow SK9 5AF

This Privacy Notice will be subject to review when there is a change.