Public Health privacy notice

This privacy notice is designed to help you understand how and why the public health team process your personal data. This notice should be read in conjunction with our corporate privacy notice.

Who are we?

North Yorkshire Council is a ‘data controller’ as defined by Article 4(7) of the UK General Data Protection Regulation (UK GDPR). Local authority public health responsibilities are set out in the Health and Social Care Act 2012. We assumed these responsibilities on 1 April 2013.

We have appointed Veritau Limited to be our data protection officer.

Their contact details are:

What personal information do we collect?


  • name
  • address
  • postcode
  • date of birth
  • contact details

Special category data:

  • ethnicity
  • health information

Why do we collect your personal information?

In order to fulfil our statutory responsibilities we have a legal basis to process personal data for certain public health purposes under Section 42(4) of the SRSA (2007) as amended by Section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

There are several reasons why we collect and process personal and/or special category data:

  • to plan and improve services that we provide and commission

We review data about where people live, such as partial postcodes, in order to ensure everyone in the county can access our services. Where services are targeted to specific groups, for example, by age, we need to check that we are reaching people most effectively.

  • to provide you with a service that meets your needs

The public health grant to the council funds a number of services, most of which are provided by external organisations. These services will collect, store and process your personal data in order to assess and meet your needs and comply with any statutory requirements. Our contract with these organisations include our expectations of them in relation to compliance with data protection law. You should refer to their individual service privacy notices and websites for further information below this notice.

These services include:

  • adult weight management
  • adult drug and alcohol service
  • children’s weight management
  • flu vaccinations for North Yorkshire Council staff
  • healthy child services
  • sexual health services
  • stop smoking services
  • strong and steady

Where our services are provided by general practice and pharmacy teams you should refer to their privacy notice:

For communication purposes

We collect and store professional contact details for those on our circulation lists, those who attend meetings we organise and those we fund training for in order to send updates and meeting papers. The amount of personal data that we collect is very limited and only includes information relating to your job role which includes your job title, work address, email and telephone number.

To organise events

We will process your personal data to reserve a place for you at the event you desire to attend; to provide you with information about the event for which you have registered, that includes confirmation of a place, event updates, and possible changes, cancellation or similar information; to provide you with information about accessibility, transportation, parking, etc. that may impact on your attendance to the event; to share any relevant information after the event for example, copies of slides.

For research and development purposes

The Public Health team may conduct primary research, social marketing, and service evaluations, or commission academic or other suitable organisations to conduct these on our behalf.

For epidemiological and surveillance purposes

To produce assessments of the health and care needs of the population and identify priorities for resource allocation and action, in particular to comply with our statutory responsibilities:

Who do we share this information with?

In order to deliver the best possible service, the team or those we commission may need to disclose your personal data to other organisations.

This could include, but not necessarily limited to:

  • NHS agencies (GPs, hospitals, ambulance, health visitors), mental health services, and other health providers
  • education providers
  • domiciliary care, residential/nursing care, and day care providers
  • local and central government agencies (such as the Department of Health and Department of Work and Pensions)

Use of your NHS Number

If you are receiving support from one of our services then the NHS may share your NHS number with us. This is so that the NHS and adult social care are using the same number to identify you whilst providing your care. By using the same number we are able to work together to improve your care and support.

How long do we keep your information for?

We will only keep your personal data for as long as it is needed for the purpose it was collected for, or for as long as is required by legislation. There are different retention periods for different types of information. Please refer to the specific privacy notice for details of the relevant retention period.

The following table details the retention periods for records relating to mailing lists, public consultations, online surveys and events:

Data held Retention period
Mailing lists Until you withdraw your consent or updated annually or when consent preference is altered
Consultation responses Length of consultation plus two years
Online surveys For six months after the consultation has concluded
For events name and preferred method of contact which could include email address, telephone number, postal address Retain from year records created plus one year

What is our lawful basis for processing your information?

With regard to personal data:

  • Article 6(1)(a) - Consent Article 6(1)(c) – legal obligation
  • Article 6(1)(e) - Public Task

With regard to special category data:

  • Article 9(2)(a) - Consent
  • Article 9(2)(h) – provision of health and social care
  • Article 9(2)(i) – processing is necessary for reasons of public interest

Across the service, we rely on the appropriate legal basis for processing your personal and special category data. Please refer to the public health services specific privacy notices for more detailed information.

For more information about how we use your data, including your privacy rights and the complaints process, please see our corporate privacy notice.