This notice should be read in conjunction with our corporate privacy notice.
Who are we?
North Yorkshire Council is a ‘Data Controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR).
What personal information do we collect?
In order to deliver the public health service to our residents, we need to collect both personal and special category data depending on the specific service being delivered.
Personal data may include:
- names and contact details
- addresses
- date of birth
- case information and case details
- financial Information
- photographs or video recordings
- education history for example, qualifications
- unique identifiers
Special category data may include:
- racial or ethnic origin
- religious or philosophical beliefs
- health information
- sex life information
- sexual orientation information
Criminal conviction and offence history data may include:
- criminal offence data (including Disclosure Barring Service (DBS), Access NI or Disclosure Scotland checks)
- information relating to health and safety
Why do we collect your personal information and what is our lawful basis for processing?
We need to collect this information in order to fulfil our obligations in regard to the provision of the following services:
Service
Adult weight management
Purpose
To ensure the support offered to you by the programme is safe and appropriate for your needs; to allow us to monitor and evaluate uptake and outcomes of the programme, in order to ensure the service is meeting the needs of the local community; to contribute to research, national audits and minimum data sets where required.
Lawful basis
UK GDPR Article 6(1)(e) –Processing is necessary for the performance of a task carried out in the public interest.
UK GDPR Article 9(2)(h) – Processing is necessary for the purposes of the provision of health and social care.
Service
Living well smoke free
Purpose
Without your data we would not be able to assess your needs around smoking cessation or be able to recommend appropriate smoking cessation medication/nicotine replacement therapy.
Lawful basis
UK GDPR Article 6(1)(e) – Processing is necessary for the performance of a task carried out in the public interest.
UK GDPR Article 9(2)(h) – Processing is necessary for the purposes of the provision of health and social care.
UK GDPR Article 9(2)(i) - Processing is necessary for reasons of public interest in the area of public health.
Service
Public health
Purpose
There are several reasons why we collect and process personal and/or special category data. We review data about where people live, such as partial postcodes, in order to ensure everyone in the county can access our services. Where services are targeted to specific groups, for example, by age, we need to check that we are reaching people most effectively. Also:
- to plan and improve services that we provide and commission
- to provide you with a service that meets your needs
for communication purposes - to organise events
- for research and development purposes
- for epidemiological and surveillance purposes
Lawful basis
UK GDPR Article 6 (1)(a) – processing is under consent where you have opted in to receive general updates from our service, such as newsletters or marketing material.
UK GDPR Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject.
UK GDPR Article 6(1)(e) - processing is necessary for the performance of a task carried out in the public interest.
UK GDPR Article 9(2)(a) - explicit consent has been granted for the processing of special category data for one or more specified purposes.
UK GDPR Article 9(2)(h) - processing is necessary for the purposes of the provision of health and social care.
UK GDPR Article 9(2)(i) - processing is necessary for reasons of public interest in the area of public health.
Service
Sexual health service
Purpose
The integrated sexual health service is provided through a partnership agreement with York and Scarborough Teaching Hospitals NHS Foundation Trust who deliver open access sexual health services across North Yorkshire on behalf of North Yorkshire Council.
Lawful basis
UK GDPR Article 6(1)(c) - processing is necessary for compliance with a legal obligation to which the controller is subject.
UK GDPR Article 9(2)(h) – processing is necessary for the purposes of the provision of health and social care.
Who do we share this information with?
In the course of delivering care and support, we may need share your information with a number of external agencies who are key to delivering our services. These include:
- NHS agencies (GPs, hospitals, ambulance, health visitors), mental health services and other health providers
Education providers
- Domiciliary care, residential/nursing care and day care providers
- Local and central government agencies (such as the Department of Health and Department of Work and Pensions)
- Commissioned services including adult and child weight management, healthy child services, stop smoking services, flu vaccinations and adult drug and alcohol service
How long do we keep your information for?
The following tables details the retention periods for records relating to the Public Health services stated above:
Adult weight management
| Data held | Retention period |
|---|---|
| File of involvement with adult weight management | 6 years after it was created |
Living well smoke free
| Data held | Retention period |
|---|---|
| Smoking record | 10 years after last contact with client |
Public health service
| Data held | Retention period |
|---|---|
| Mailing list | Until you withdraw consent |
| Consultation responses | Length of consultation plus 2 years |
Sexual health service
| Data held | Retention period |
|---|---|
| Online surveys | 6 months after the consultation has concluded |
| Event name and preferred contact method (email, phone or post) | Year record created plus 1 year |
Other relevant transparency information
The legislation, policies and guidance that relates to these services include, but is not limited to:
- The Care Act 2014
- The Health and Social Care Act 2014
- Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002
In cases of legal action or formal complaints, call recordings may be retained beyond the standard retention periods and used as evidence. Access to such recordings will be restricted and managed according to legal requirements and internal procedures. Other data that we may hold about you is only kept for as long as is necessary and all data is retained in line with our record retention and disposal schedule (RRDS).
For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.