Health Protection (including COVID-19 Response), Public Health and Communities Directorate

This privacy notice explains how Health Protection uses information about you when you contact us or use our services, and how we protect your privacy.

General information

Health Protection, Public Health and Communities Directorate (Health Protection) is responsible for providing outbreak management support and advice, liaison with internal and external stakeholders, and providing a telephone contact services for individuals regarding their covid vaccination. On occasions we may need to collect and use personal data to fulfil these duties.

The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), collectively referred to as data protection law

Suffolk County Council is the controller for the personal information that is being processed. If you have any queries about how Health Protection is collecting or using your personal data, you can contact the service on: or

Contact details for the council’s Data Protection Officer and Compliance Manager can be found in the council’s corporate privacy notice, which is available on the council’s website.

The delivery of Suffolk County Council’s Health Protection work involves the co-ordination of resources which includes information sharing between national, regional, and local organisations and agencies to deliver and support all aspects of outbreak management.

We collect the following personal data from you when the contact centre call you via telephone:

  • Name
  • Contact details including email address and telephone number
  • Your date of birth
  • Vaccination Status
  • Ethnicity
  • Any other personal information that you provide that is relevant to your contact.

We collect data on COVID-19 cases, tests and variants from the UK Health Security Agency, East Suffolk and North Essex NHS Foundation Trust and NHS Digital which may include the following information:

  • Name, address, contact details (email and telephone numbers)
  • Date of birth
  • Gender
  • Ethnicity
  • Health indicators (mental health status, physical activity status, Covid-19 test results including positive, negative, and void tests)
  • Covid-19 vaccinations (non-identifiable data)
  • Unique IDs, including NHS number
  • Occupation
  • Employer details
  • Hospital admission details
  • International travel information.

During the period the National Test and Trace programme was in operation, we collected data to support the Suffolk Contact & Trace Service. This service was stood down in February 2022. The data has been archived and is being retained in line with records management policies but is no longer actively used.

In addition to the personal data types detailed above we also collected and managed the following information as part of the Suffolk Contact & Trace Service:

  • Leisure activities in so far as they relate to your risk of transmitting Covid-19
  • Names and contact details for members of your family, your household, and people you have been in contact with in the 48 hours prior to either your positive test or the date your symptoms started
  • Information about your support needs.

The above data is used to support:

  • The work of the Suffolk Public Health Enhanced Health Protection Team in co-ordinating the outbreak management response in Suffolk
  • Managing and preventing the spread of Covid-19 and other diseases within settings, for example, all care homes and home care providers
  • Managing, monitoring, and preventing the spread of Covid-19 and other diseases within demographic groups, for example, using demographic data in relation to age, ethnicity, geographical levels of socio-economic deprivation, and socio-economic categorisation of geographical areas to consider whether there are links between cases in time, by place or through people, and to ensure that any inequalities in access to services are understood and addressed
  • Epidemiology research and surveillance, including monitoring the prevalence of new variants of infectious disease.

Although contact tracing through the Council’s Contact and Trace Service is no longer conducted, local records have been archived and are being retained in line with records management policies.

The above data is used to support:

  • Managing our services
  • Managing outbreaks within Suffolk within high-risk settings to protect the vulnerable and high-risk population and enabling appropriate public health action to be taken
  • Epidemiological surveillance and research
  • Training staff
  • Investigating complaints about our services
  • Monitoring and protecting public spending
  • Monitoring the quality of our services to ensure they are delivered in the most efficient and effective way
  • Helping us to improve and plan new services
  • Complying with laws that require us to provide personal information to other organisations, such as health organisations and courts
  • To inform any required public health action and advice which needs to be provided to the community around prevention and control
  • To monitor the delivery of COVID-19 immunisation programmes, identifying and responding to inequalities in uptake
  • To offer support for vaccination uptake - to enable more focussed calls / contact to those who are unvaccinated to offer to book them into appointments.

Under the national data opt-out everyone who uses publicly funded health and/or care services can stop health and care organisations from sharing their “confidential patient information” with other organisations if it is not about managing or delivering their own care. For example, if this information is used for research or planning purposes.

At this time, the council does not share any data for planning or research purposes for which the national data opt-out would apply. We review all of the confidential patient information we process on an annual basis to see if this is used for research and planning purposes. If it is, then individuals can decide to stop their information being shared for this purpose.

You can find out more at Your NHS data matters.

Personal data

Under data protection law, Health Protection can only process your personal data if it is lawful to do so. Please see the details below of the lawful bases that we rely on for processing different types of personal data.

For processing personal data, we rely on the following lawful basis:

  • UK GDPR Article 6(1)(e) – where processing is necessary for us to perform a task which is in the public interest (public task) where that task has a clear basis in law - The Health Service (Control of Patient Information) Regulations 2002, Regulation (3)(1)

Special category data

When we process special category data, we rely on the following additional lawful basis:

  • UK GDPR Article 9(2)(i) – where processing is necessary for reasons of public interest relating to matters of public health (Schedule 1, Part 1, section 3, DPA 2018)


The Health Protection Team, Suffolk County Council may share your information. with certain partner organisations, such as UKHSA, other Local Authorities, other stakeholders including Care Settings, Health Settings, Educational Settings

We also collect and may share data with partner organisations and other stakeholders including local authorities, care homes, workplaces and health settings.

How data is supporting the COVID-19 response | NHS

We do not transfer any personal data to any countries or international organisations outside of the EU, the EEA (European Economic Area), or any other country that does not have an equivalent level of data protection to the UK.

We keep personal data for as long as we need it to fulfil the purpose that it was collected for, and in line with any statutory or locally determined retention periods. The retention of your information for this purpose is reviewed every six months.

Records pertaining to the outbreak of notifiable disease will be retained for a period of six years, although may be archived before this time, awaiting secure deletion.

The Health Protection Team, Suffolk County Council does not use automated decision-making processes or profiling in respect of your information.

Under data protection law, you have the right to request access to the information that we hold about you. If you would like to make a request to access your personal information, please contact

You also have other rights regarding your personal data. You can find out more information about these rights by looking at the council’s corporate privacy notice.

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House
Water Lane
Telephone: 0303 123 1113