The data controller for your data

Brighton & Hove City Council is the data controller for purposes of the Data Protection Act (2018) and the General Data Protection Regulation (EU) 2016/679 ("GDPR") and is registered as a data controller with the Information Commissioner’s Office (ICO).
Brighton and Hove City Council are committed to protecting your personal information. As a data controller we have a responsibility to make sure you know why and how your personal information is being collected in accordance with relevant data protection law.

Why we’re collecting your data

Health and Adult Social Care directorate may collect your personal data in order for us to work out what you need and then how best we can support you. Health and Adult Social Care comprises of social care professionals, public health professionals, providers services and hostels. Your information and feedback also helps us plan our services, investigate complaints, legal claims and incidents of concern.  Our services may be directly provided by us, by one of our partners such as NHS or in partnership with another agency such as private care home providers. 

We carry out our duties and powers in line with various pieces of legislation to assess your needs and provide support and guidance. 

What the legal basis is for collecting your data

Our legal basis for collecting and processing your data is to fulfil our legal obligations and when it is considered necessary to enable us to carry out our tasks, functions, duties or powers or to perform a task carried out in the public interest. This is in line with GDPR Article 6,1 (c & e). 

We will also need to process your special category data and where it is necessary for the provision of health or social care. This is in line with GDPR Article 9,2 (g), Data Protection Act 2018 Schedule 1, Part 2, Part 2 Paras 17, 18 and 19 and GDPR Article 9,2 (h), Data Protection Act 2018 Schedule 1, Part 1, Para 2 and 3.

In addition to working within strict compliance with data protection legislation, Health and Adult Social Care also work within the below legislation and regulations:

  • Care Act 2014, Care and Support Statutory Guidance
  • Health and Social Care Act 2008
  • Mental Capacity Act 2005 and Deprivation of Liberty Safeguards
  • The Care and Support (Discharge of Hospital Patients) Regulations 2014
  • Localism Act 2011
  • Equalities Act 2010
  • Chronically Sick and Disabled Persons Act 1970
  • Children Act 2004
  • Local Government Act 1974
  • The Housing Grants, Construction and Regeneration Act 1996
  • Care Homes Regulations 2001
  • Homelessness Reduction Act 2017
  • The Care Quality Commission (Registration) Regulations 2009
  • The Local Authority Social Services and National Health Service Complaints (England) Regulations 2009
  • The Local Authority (Public Health, Health and Wellbeing Boards and Health Scrutiny) Regulations 2013

The data we may collect

The type of information collected from you is as follows:

Personal Data

  • contact details including name, address, email address, telephone number etc
  • date of birth
  • national identifiers such as National Insurance numbers, National Health Service numbers
  • information about your family
  • social and personal circumstances
  • financial details for purposes of receiving or making payments
  • photographs / proof of identity

Special Category Data

We may also collect Special Category (sensitive) personal data that may include:

  • physical or mental health details
  • racial or ethnic origin
  • gender and sexual orientation
  • offences (including alleged offences)
  • religion
  • criminal proceedings, outcomes and sentences

Who we’ll share your data with

Staff within Health and Adult Social Care will have access to your information. This stops you having to explain things more than once. Your data may also be shared with staff from other council services such as housing or benefits teams where relevant. We may also share your data with health professionals such as your doctor, district nurse or hospital staff and your carers. We will only share your data with relatives where we have a duty to or where you have agreed we can. We will share your data with external organisations such as Care Agencies, local voluntary support services or other local authorities who are involved in your care now or where you are moving to a new local authority. 

The council operates shared services with Surrey County Council and East Sussex County Council.  We may share your information with one of these partners if necessary, to provide these services.

National Data Opt Out

The service enables the public to register to opt out of their confidential patient information being used for purposes beyond their individual care and treatment. The public can change their national data opt-out choice at any time. 

How long we’ll keep data for and why

The amount of time we will keep your data depends on what services you receive from us, and the legal basis for processing that data.

There are laws that state the length of time we need to keep your data for, and in certain circumstances this may be indefinitely. 

However, the Principles we will use to determine how long your data will be kept include:

  • what type of services you received, and whether you are still receiving them
  • whether we are still under a legal obligation, either to you or under UK law
  • any standards and guidance set out by the various regulators for our functions

How your data is stored

We have a responsibility by law, under the UK Data Protection Act 2018 and the General Data Protection Regulations (EU), to keep your information secure and confidential, and to only process it for the purposes for which is was obtained.

Your information will be stored electronically and/or on paper records, and we will only make your information available to those who have a right to see it.

Example of the security measures we use are:

  • training for our staff allows us to make them aware of how to handle information, and how and when to report when something goes wrong
  • we use Encryption, which means information is hidden so that it cannot be read without special knowledge (such as a password). This is done with a secret code. The hidden information is said to then be ‘encrypted’
  • pseudonymisation, which means we can hide parts of your personal information from view. This means that someone outside of the Council could work on your information for us without ever knowing it was yours
  • controlling access to systems and networks allows us to stop people who are not allowed to view your personal information from getting access to it
  • regular testing of our technology and ways of working, including keeping up to date on the latest security updates (commonly called patches)

Transferring data outside the European Economic Area

Your data will not be transferred outside the European Economic Area.

Your rights

Depending on the legal basis for processing your information, you may have a right to:

  • a copy of data held about you, an explanation for its processing and who it has been shared with - this right applies to data processed under any lawful basis
  • rectification (correction) of data which is demonstrably wrong - this right applies to data processed under any legal basis
  • restrict processing - this right applies if it has been shown that there is no legal basis for processing your data, but you wish it to be retained for your own purposes
  • object to processing - this right does not apply where the Council is under a legal duty to process your data, but can be used where you dispute that there is a legal basis to process your data. In this circumstance, the Council is required to weigh its lawful basis for processing your data against your objection, and provide you with a response
  • erasure - this applies where there is no longer a legal basis to retain your data
  • portability of your data (having it moved to another organisation) - this right applies only where the legal basis was either consent or performance of a contract, but data will usually be transferred to another local authority if a data subject moves to a new location

How to get advice or make a complaint

If you wish to discuss any of your data protection rights, you can phone the Data Protection Team on 01273 29 59 59, or send an email to

The Council has also appointed a Data Protection Officer, you can use this form to contact the Data Protection Officer.

Whilst we would prefer that you contact us first with any concerns that you might have, you can also contact the Information Commissioner’s Office. The ICO is the national regulator with responsibility for ensuring compliance with data protection.

Information Commissioner’s Office

You also have the right to lodge a complaint with a supervisory authority.

The ICO can be contacted through their website.

Alternatively you can phone: 0303 123 1113

You can also write to them: Information Commissioner’s Office, Wycliffe House, Water Ln, Wilmslow SK9 5AF

This Privacy Notice will be subject to review when there is a change.

Date for Review: August 2020