Covid-19 privacy notice

This privacy notice is in addition to our Corporate Privacy Notice and provides details as to how the Council will collect, use and protect personal data specifically with regard to the COVID-19 Pandemic.

The Council will already hold data regarding residents, employees and stakeholders. This information may have been provided for a specific reason and under normal circumstances, the Council would inform you if the personal data provided would be used for a different purpose. However, due to the rapidly changing situation with the COVID-19 pandemic, it will not always be possible to do this.

To this extent, Recital 46 of the GDPR provides that:

“Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.”

If we currently hold information regarding vulnerability, as defined in the current guidance from the Government and Public Health England, we might share this information for emergency planning purposes. We might also share this information with services both inside and outside of the Council to protect your vital interests and to act in the public interest.

During this pandemic, we may need to ask you for your personal information, including sensitive personal information, for example, your age or if you have any underlying illnesses or are vulnerable. This could be personal information that you had not needed to previously provide to us and is in order that the Council can assist and priorities its services.

You can find information about how the Council is addressing the pandemic on the COVID-19 section on our website.

The Information Commissioner’s Office have also developed a data protection and coronavirus information hub, which can be found on the ICO website. 

Personal data relates to a living individual who can be identified from that data. Identification can be by the information alone or in conjunction with any other information in the data controller's possession or likely to come into their possession. 

During the coronavirus pandemic the Council may process your data on the basis that the data is either:

1. Necessary in the vital interests of yourself or another person (Article 6(1)(d) and 9(2)(c)) or
2. Necessary for the reasons of substantial public interest (Article 9(2)(g)) or
3. Where it is in the interest of public health (Article 9(2)(i)). 

Your personal data will only be kept for as long as is necessary for the purpose for which the Council is processing it unless there is a legitimate reason for keeping it longer. At present, it is not known how long data relating to the management of this pandemic will be retained. You can be assured that the Council will follow any published guidance in this respect as and when it becomes available.

Wherever it is possible, the Council will keep your personal data anonymous, so that you cannot be identified.

Where we do not need to continue to process your personal data, it will be securely destroyed.

The Secretary of State for Health and Social Care, Matt Hancock, has issued four notices under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (SI 2002/1438) requiring healthcare organisations to process and share personal data for the purposes of research, protecting public health, providing healthcare services to the public and monitoring, as well as managing, the COVID-19 outbreak.

The healthcare organisations are:

• NHS Digital
• NHS England and Improvement
• Health organisations
• Arm's length bodies
• Local authorities.
• GPs.

The notices require that data is shared for purposes of monitoring and preventing the spread of COVID-19; they give health organisations as well as local authorities the power to share personal data for the purposes set out in the notices. In addition to data sharing, the authorisation under the notices also extends to processing data in order to notify the more vulnerable members of the public and advise them to self isolate.