This privacy notice explains what personal information is collected, what it is used for and who it is provided to. The notice also describes why the Council requires your data, and the legal basis on which it does this.
This privacy notice relates to the Council’s Public Health service. It provides additional information that specifically relates to this particular service, and should be read together with our general privacy notice, which provides more detail on the questions below. Read our general privacy notice.
Public Health Manchester became part of Manchester City Council when the public health duty moved from the NHS to local authorities in April 2013. We work within a strong and formal partnership between the council and NHS Manchester Clinical Commissioning Group. The new partnership is called Manchester Health & Care Commissioning (MHCC) and aims to improve the health and wellbeing of people in Manchester and achieve a sustainable health and social care system across the city. Further information about MHCC is available on the website: www.mhcc.nhs.uk.
What personal information does this service use?
We receive personal information about:
• Residents of Manchester
• People receiving health and care services in Manchester
• People who work or attend school in Manchester
The types of personal information we hold are:
• NHS number
• Date of birth/death
• Date of registration
• Place of birth/death text and postcode
• Postcode of usual residence
• Date of registration
• Maiden name
• Name of certifier
• Name of coroner
• Birth weight
• Cause of death
• Date of A&E attendance/outpatient appointment/admission
• Investigation/diagnosis/treatment/procedure codes
• Body Mass Index (BMI)
• Carer Support
• Marital Status
This service also uses the following special category personal information:
• ethnic origin
• health details
• sexual orientation
Only a limited number of authorised staff have access to personal information where it is appropriate to their role and is strictly on a need-to-know basis. All of our staff receive appropriate and on-going training to ensure they are aware of their personal responsibilities and have contractual obligations to uphold confidentiality, enforceable through disciplinary procedures.
What is your personal information used for?
Our overall role is to improve and protect the health and wellbeing of the whole population of Manchester, but have five specific responsibilities described by law:
- Helping protect people from the dangers of communicable diseases and environmental threats.
- Organising and paying for sexual health services.
- Providing specialist public health advice to primary care services: for example GPs and community health professionals.
- Organising and paying for height and weight checks for primary school children.
- Organising and paying for regular health checks for Manchester people.
To do the above, we need information about people’s health and wellbeing. We use this information for measuring health and care needs of the population, for planning, evaluating and monitoring health, and for protecting and improving public health.
Personal information helps us to:
- Inform what our priorities should be so that we can decide which services we should commission, such as advice and support services on alcohol and drug misuse, help to stop smoking, advice on obesity and diet, promoting physical activity, better nutrition and a healthy lifestyle.
- To coordinate initiatives, such as to improve mental health, and the health of children and young people, and raise awareness about health at work and preventing injuries.
- To assess the performance of local health and care system and to evaluate and develop them
- To carry out research and intelligence activities to tackle the scale of health inequalities found in Manchester.
- To carry out assessments of the health and care needs of the population and to comply with our statutory obligations. For example, the Public Health Annual Report and the Joint Strategic Needs Assessment, use data to help us understand patterns of disease, the outcomes of our residents, and what we can do to improve people health and improve healthy life expectancy.
- To maintain our own accounts and records in order to support and to monitor how we and our partner organisations are providing our services.
What is the lawful basis we are relying on?
We will only use your personal data where it is necessary in order to perform our public tasks and duties as a Local Authority (Art 6(1)(e) of the General Data Protection Regulations ‘GDPR’), and to meet our statutory obligations to commission health care services, such as under the Care Act 2016 (Art 6(1)(c) of the GDPR).
In some cases, we may be required to share your information by law (Art 6(1)(c)) or where it is necessary to protect someone in an emergency (Art 6(1)(d)).
We will only use any special category personal data we hold where it is necessary and because there is a substantial public interest (such as to carry out a legal duty, for the prevention of crime) (Art 9(2)(g)), and where it is necessary to deliver social care services (Art 9(2)(h)).
We may also need to use special category data:
• where it is necessary to protect someone in an emergency (Art 9(2)(c))
• where it is necessary for legal cases (Art 9(2)(f))
• where it is necessary for employment purposes (Art 9(2)(b))
• where it is necessary for archiving, research or statistical purposes ((Art 9(2)(j)))
The legal basis for Public Health Manchester to receive and process person-identifiable information about births and deaths is provided by Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012).
Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002 provides a legal basis for processing confidential personal information for the purpose of fulfilling our statutory duties in relation to communicable diseases.
Where has your personal information come from?
The Public Health team does not collect personal information directly from citizens. However, the service providers we commission and pay for will usually need to collect personal information in order to provide the service. We will usually require those providers to give us data so we can evaluate the service, ensure we get value for money, and to plan service improvement.
Much of the information we use is in aggregate form, in other words, it is made up of statistics that relate to groups of people rather than to individuals. For example, we use aggregate data to produce statistics to help identify local priorities to improve and protect the health and wellbeing of the communities we serve. Using data that is already based on groups means this information is anonymous, which means it does not identify individuals within these groups.
We sometimes get data that is not already grouped, but where all identifying data (including name, NHS number, and date of birth, date of death, address, and postcode) has been removed so that we can group the data ourselves. For example, we get age in years instead of date of birth, or a code that covers a large geographical areas instead of address or postcode. The data may have a ‘pseudonym’ (or coded reference) attached to it that links it to a particular individual without that individual being identified. This would allow us to understand, for example, how many people had one, two, three or more admissions to hospital without us knowing who the individual patient is.
Sometimes we do need to use information relating to individuals that could allow individuals to be identified. This personal data could include NHS number, date of birth, date of death, and postcode but would not include direct identifiers such as name and address. When we do this it is often because we need information where different sources of data have been linked together. For example, when we needed to plan new ways of supporting people to stop smoking, we linked data obtained from GP surgeries about smokers with information about hospital admissions. When we do need to use personal data in this way we ensure that as much of the detail as possible that could identify an individual is removed before we receive the data. For example, we may use the NHS number but replace date of birth with age in years and individual postcodes with codes that cover larger geographical areas.
Who will we share your personal information with?
Most of the information we produce is in the form of anonymous statistics published through our website and in reports and papers to the Health and Wellbeing Board, the governing bodies and performance boards. We never publish information to the general public that could be used to directly identify an individual.
For example, when we publish data where the numbers of people in a given category are small we would usually suppress those numbers or, where possible, combine categories so the numbers are larger.
We do not routinely share person-identifiable information with other organisations. However, we might need to share personal information (including special category information) in exceptional circumstances, such as an outbreak of a serious infectious disease (we have a lawful basis to share this information under Article 6(1)(d) – where information sharing is necessary to protect someone’s life – and Article 9(2)(i)).
On rare occasions the service providers we commission may have a legal duty or power to share information, for example for safeguarding or criminal matters.
How long will we keep your information?
The retention schedule sets out how long we keep personal information for, listed service by service. We will only retain your personal information for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any future legal, accounting, or reporting requirements.
Your personal information and your rights
You can find out more about your rights regarding the personal information used for this service. Your rights apply to the information held by the Council as a data controller, and the information we hold on behalf of the other data controllers.
If you have any questions or concerns about how the Council uses your personal information, please contact the Council’s Data Protection Officer.
If you have any concerns about the way the Council processes your personal information, you have the right to complain to the Information Commissioner’s Office.