Public Health and Communities privacy notice

This privacy notice tells you what information Public Health and Communities collects and uses, and your rights regarding your information.

General information

The Public Health and Communities directorate use data and information from a range of sources to exercise our statutory public health functions. On occasions we may need to collect and use personal data in order to fulfil these duties.

The processing of personal data is governed by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA 2018), as amended by the Data (Use and Access) Act 2025 (DUAA), collectively referred to as data protection law.

This privacy notice explains how the Public Health and Communities directorate uses information about you when you contact us or use our services, and how we protect your privacy.

Suffolk County Council is the controller for the personal information that is being processed. If you have any queries about how the team is collecting or using your personal data, you can contact Public Health and Communities via: HealthandWellbeing@suffolk.gov.uk.

Contact details for the council’s Data Protection Officer and Compliance Manager can be found in the council’s corporate privacy notice, which is available on the council’s website.

What is personal data?

Personal data includes information about you, which can be used to identify you as an individual. Examples include:

Your name
Your date of birth
Your contact details
Your image

Special category data is the most sensitive type of personal data and includes:

Information about your health or any social care services that you may use
Information that could identify your racial or ethnic origins
Information that could identify your political beliefs
Information that could identify your religious or philosophical beliefs
Information that could identify your trade union membership
Genetic data
Biometric data (where used to identify you, e.g. use of fingerprints to access online services)
Information about your sex life, or sexual orientation

The types of personal data that we process and where it comes from

The team works with many types of data to be able to promote health and support improvements in the delivery of health and care services in Suffolk. This includes processing:

Identifiable data, and data which would potentially identify a living person (this is known as personal data) as well as non-identifiable data.

The Public Health directorate obtains data from different organisations. This includes (list not exhaustive):

Hospital Episode Statistics (HES) from NHS England
Primary Care Mortality Database (PCMD) from NHS England
Births data tables from NHS England
Commissioned Services data including Provide Community from the 1 May 2024 (Suffolk Sexual Health Service), Turning Point in partnership with Anglia Care Trust and Iceni (integrated treatment and recovery service for drug and alcohol misuse), Feel Good Suffolk (stop smoking, weight management)
Specialised reviews from relevant teams in SCC and the NHS as required for the purpose of the review
Population Health Management data from local and national data sources from health and care providers
UK Health Security Agency (e.g. to deal with disease outbreaks).
Suffolk Office for Data & Analytics (this includes data from Suffolk County Council and other Suffolk organisations)
Schools (this includes data for the Asthma Friendly Schools project)

Note: All of the above organisations have their own privacy notices which set out why they need to share this data.

Why do we process your personal data?

We use the data to exercise our statutory Public Health and Communities functions, which include:

Planning and commissioning services
Improving the quality and effectiveness of commissioned services
Reviewing and assessing the performance of the local health and care system and to evaluate and develop it
Investigating incidents and in the management of risks to Public Health and Communities
Approving evidence-based interventions
Controlling infection
The National Child Measurement Programme
The NHS Health Check Programme
Supporting health visiting and school nursing services

This information is used to produce data and intelligence about the health and care needs of Suffolk residents, including:

The Suffolk Joint Strategic Needs Assessment (including Health Needs Assessments, and the Pharmaceutical Needs Assessment)
The Suffolk Annual Public Health Report
The Suffolk Joint Local Health and Wellbeing Strategy

Our legal basis for processing your information

Personal data

Under data protection law, we can only process your personal data if it is lawful to do so. For processing personal data, we rely on the following lawful basis(es):

UK GDPR Article 6(1)(e) – where processing is necessary for us to perform a task which is in the public interest (public task)
UK GDPR Article 6(1)(f) – where processing is necessary to meet our legitimate interests which are not part of our public function.

The legitimate interest basis under the UK GDPR allows the Public Health and Communities directorate to process personal data in ways that you would reasonably expect and that have a minimal impact on you, or where there is a justified reason for processing your data.

Special category data

When we process special category data, we rely on the following additional lawful basis(es):

UK GDPR Article 9(2)(h) – where processing is necessary for the provision of health and/ or social care purposes (Schedule 1, Part 1, section 2, DPA 2018)
UK GDPR Article 9(2)(i) – where processing is necessary for reasons of public interest relating to matters of public health (Schedule 1, Part 1, section 3, DPA 2018)

Sharing your information

We share your personal information with other organisations and public bodies only where it is lawful and where there are pre-agreed information sharing agreements in place. This includes:

Health bodies and providers including local GPs, hospitals, mental health trust and community health and care trust
Other local authorities
UK Health Security Agency (reporting communicable diseases and other risks to public health)

Whether we intend to transfer your information to another country

We do not transfer any personal data to any countries or international organisations outside of the EU, the EEA (European Economic Area), or any other country that does not have an equivalent level of data protection to the UK.

How long we keep your information

We keep personal data for as long as we need it to fulfil the purpose that it was collected for, and in line with any statutory or locally determined retention periods as agreed with the organisations that provide the data. All the data we process is kept safely and securely within our IT systems. At the end of the retention period data is securely destroyed.

Automated decision-making and profiling

We do not use automated decision-making processes or profiling in respect of your information as defined by GDPR/DPA.

Your rights under data protection law

Under data protection law, you have the right to request access to the information that we hold about you. If you would like to make a request to access your personal information, please contact data.protection@suffolk.gov.uk.

You also have other rights regarding your personal data. You can find out more information about these rights by looking at the council’s corporate privacy notice.

Your right to independent advice

If you would like independent advice on this privacy notice or other matters about how Suffolk County Council processes your personal data, including how to make a complaint, you can contact the Information Commissioner's Office at:

Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF

Telephone: 0303 123 1113

Email: casework@ico.org.uk