Public Health privacy policy

All Local Authorities have a duty to improve the health of the population they serve.

To help with this, our Public Health team uses data and information from a range of sources including information collected at the registration of a birth or a death and client/customer use of provider services as commissioned by Medway Council.

Although not direct care, this helps us to understand more about the health and care needs of the populations in our area.

We can use the data to measure the health, deaths (mortality), illness (morbidity) and care requirements of our population, allowing us to plan and deliver health and care services in a coordinated and efficient way.

We act as a ‘data processor and controller’. This means that we collect and process information. We also follow the high information governance standards and instructions as set by NHS Digital. 

Types of information we use

We work with many types of data to be able to promote health and support improvements in health and care services in Medway. 

This includes processing:

  1. Identifiable data – containing personal data that can identify individuals, such as name, date of birth, gender, address, postcode and NHS number.
  2. Pseudonymised data – this contains information about individuals but with the identifiable details replaced with a unique code.
  3. Anonymised data – this information about individuals has had all identifying details removed.
  4. Aggregated data – this is when all anonymised information has been grouped together so that it doesn’t identify individuals.

How your information is used in Public Health

We hold or use the following data collections that contain various different types of data about individuals and populations:

  1. Secondary Uses Service (SUS) and Hospital Episode Statistics (HES) – We access pseudonymised records about health care and treatment you may have received in hospital and other secondary care providers. This includes in-patient and day-case admissions, out-patient appointments and Accident and Emergency attendances. We access this under licence from NHS Digital (previously the Health and Social Care Information Centre). We do not access identifiable data.
  2. Primary Care Mortality Database (PCMD) – This provides us with access to identifiable deaths (mortality) data as provided at the time of the registration of the death, along with additional General Practice details, geographical indexing and coroner details where applicable. This includes the address and postcode of the deceased, postcode of the place of death, NHS number, date of birth, date of death, name of certifier, and cause of death. Our access to the data is based on our geographical boundaries as a Unitary Authority and the Clinical Commissioning Group in Medway. This data is supplied to us by NHS Digital under strict licence and data disclosure controls.
  3. Births data tables – This dataset provides us with access to identifiable data about the number of births that occur within our geographical boundaries as a Unitary Authority and Medway Clinical Commissioning Group. It includes the address, postcode and place of birth of the mother and the postcode of place of birth of child, NHS number of child and the date of birth of the child. This data is supplied to us by NHS Digital under strict licence and data disclosure controls.
  4. Vital statistics tables – This dataset is aggregated together so that it does not identify individuals. It contains data on live and still births, fertility rates, maternity statistics, death registrations and cause of death analysis by our geographical boundaries as a Unitary Authority and Medway Clinical Commissioning Group. This data is supplied to us by NHS Digital under strict licence and data disclosure controls.
  5. Medway public health service data We collect data in the course of delivering our public health services, e.g. for smoking cessation or healthy weight. The data collected include basic demographic characteristics and items related to the delivery of the particular service. In doing so, we ask for explicit consent to collect and analyse the data. We do not routinely share personal identifiable information, except for direct care. We may on occasion share anonymised data collected by Medway Council with other organisations, e.g. for research purposes, however, only after conducting a privacy impact assessment and establishing a data sharing agreement with the organisation. We do not share any of the other data sets listed above.
  6. Automated decisions - We do not use data for the purpose of automated decision making, such as profiling.

COVID-19 and your information

The Medway Public Health team may use your information to protect you and others aginst coronavirus (COVID-19).

The Medway Public Health team uses patient information collected by health and social care services and national health bodies, such as UK Health Security Agency (UKHSA), to protect people in the area.

Data will be used to recognise trends, and monitor and manage outbreaks, under Regulation 3 of the Control of Patient Information Regulations (3(1)(b) and 3(1)(d)(i)). For more information view The Health Service (Control of Patient Information) Regulations 2002.

Kent, Medway and Sussex research

Medway Council is a programme partner for the Kent, Medway and Sussex Secure Data Environment for research. This is a trusted environment for researchers to access non-identifiable health and care data safely and securely.

Legal responsibilities

We have different legal responsibilities for different types of information we hold and analyse in the Public Health Information team. We follow Section 42(4) of the SRSA (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

How we keep data safe and secure

All the data we process and hold is kept safely and securely within our IT systems. When not in use our PCMD data is encrypted to AES standard 256 level.

We do not disclose any data to a third party who is not identified on our licence agreement with NHS Digital. Any data requests received from a third party will only receive anonymised and aggregated data to a level that complies with the Office of National Statistics Disclosure Guidance or, we are required to do so for legal reasons.

National data opt-out

The national data opt-out is a service that allows patients to opt out of their confidential patient information being used for research and planning. Specifically, these apply to disclosures requiring approval under section 251 of the National Health Service Act 2006 and its current Regulations, the Health Service (Control of Patient Information) Regulations 2002. The NHS Act 2006 and the Regulations enable the common law duty of confidentiality to be temporarily lifted so that confidential patient information can be transferred to an applicant without the discloser being in breach of the common law duty of confidentiality. 

Medway Council does not share data of this sort and there are no plans to do so in future. We only share confidential, identifiable information with other organisations, such as the NHS, for the purposes of direct care.
For more information about the National data opt-out, view our statement of compliance.

Access to your personal information

To make a request for personal information you will need to make an information request

In order to process your request we require copies of documents to verify your identity, such as a passport. The information you have asked for will be provided within one month.

When making your request, it would be helpful if you specified the likely location of where the information may be held or narrow your request to specify dates. This will simplify the process for responding to the request.

For independent advice about the use of your data, contact the Information Commissioners Office.