Privacy notice for COVID-19
Data protection and COVID-19
This privacy notice is an addendum to the council’s main privacy statement and notices, and it explains how West Suffolk Council (as Data Controller) may use your personal data, specifically in relation to the COVID-19 (coronavirus) pandemic.
You may have already provided information for a specific reason, and the council would usually seek to inform you that the data provided would be used for a different purpose. Due to the rapidly emerging situation regarding the current pandemic, this will not always be possible. If we already hold information regarding vulnerability, we may share this for emergency planning purposes or to protect your vital interests by sharing with services both inside and outside the council.
The Information Commissioner’s Office has published guidance on data handling during the pandemic.
In this current crisis, we may need to ask you for sensitive personal information that you have not already supplied, including your age or if you have any underlying illnesses or are vulnerable. This is so the Council can assist and prioritise its services.
Your personal data
Personal data relates to a living individual who can be identified from that data. Some of your personal data is classed as ‘special personal data’ because this information is more sensitive for example health information, ethnicity and religion and so on.
Why we may need to share your personal data
In this current pandemic, we may share your information with other public authorities, emergency services, and other stakeholders as necessary and only when necessary in a proportionate and secure manner. Contact with you to obtain consent before sharing will not be required for all the reasons described in this notice. Please be assured that protection of personal data remains a priority at this time after the health and safety of everyone.
We will only share your personal information where the law allows, and we always aim to share the minimum data necessary to achieve the purpose required. Further, the information will only be used for the purposes listed and retained for limited specific times.
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 allow us to share information for a wide variety of reasons. These are known as our ‘legal bases to process data’.
Data protection laws are written to facilitate valid information sharing, especially in times of emergency which often requires more collaborative working. The legal bases for processing data at the council during the COVID 19 pandemic are as follows:
- Fulfil an explicit statutory or government purpose
- Protect the public
- Satisfy external regulatory requirements
- Provide extra support for individuals with a disability or medical condition
- Safeguard children and individuals at risk, and
- Safeguard the economic well-being of certain individuals.
We also have a duty to comply with the obligations set out in other legislation. The list below shows some common examples, but is not exhaustive:
- Care Act (2014) – this allows councils to share data to promote individual wellbeing, support individual need for care and promote the integration of health and social care.
- Children’s Act (1989) – this allows councils to share data to safeguard and promote the wellbeing of children.
- Homelessness Reduction Act (2017) – this allows councils to share data as part of taking reasonable steps to help applications secure accommodation.
- Digital Economy Act (2017) – this allows councils to disclose information to improve public service delivery or to help reduce debt owed to West Suffolk Council.
- Civil Contingencies Act 2004 Part 1 Local Arrangements for Civil Protection – Civil Protection - Disclosure of information 6 (1) A Minister of the Crown may make regulations requiring or permitting the 'provider' to disclose information on request to another person or body listed in any Part of that schedule known as the 'recipient'.
Elements of the data protection law applicable at this time
The council will apply the following sections of the General Data Protection Regulation and Data Protection Act 2018 (other elements may be applied dependent upon emerging events):
- Article 6 (1) (c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
- Article 6 (1) (d) – processing is necessary in order to protect the vital interests of the data subject or of another natural (living) person
- Recital (more detailed explanation) 46 – The processing of personal data should also be regarded to be lawful where it is necessary to protect an interest which is essential for the life of the data subject or that of another natural person. Processing of personal data based on the vital interest of another person should in principle take place only where the processing cannot be manifestly based on another legal basis. Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread or in situations of humanitarian emergencies, in particular in situations of natural and man-made disasters.
- Article 6 (1) (e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
- Article 9 (2) (c) – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
- Article 9 (2) (g) – processing is necessary for reasons of substantial public interest…
- Article 9 (2) (h) - processing is necessary for the purposes of preventative or occupational medicine, where is it necessary for the provision of social care, the provision of health care or treatment or for the management of a health or social care system
- Article 9 (2) (i) – processing is necessary for reasons of public interest in the area of public health, such as protecting against cross-border threats to health or ensuring high standards of quality and safety of health care
Part 2, Chapter 2
- Section 7 (2) – Data Controller that is 'public authority' or 'public body' for the purposes of GDPR when performing a task carried out in the public interest or in the exercise of official authority vested in it.
- Section 8 – Lawfulness of processing: public interest
SCHEDULE 1, (Special categories of Personal Data), Part 1 (Conditions relating to Employment, Health and Research etc),
This condition is met if the processing is:
- necessary for the reasons of public interest in the area of public health and
- carried out by:
- or under the responsibility of a health professional, or
- another person who in the circumstances owes a duty of confidentiality under an enactment or rule of law.
SCHEDULE 1, (Special categories of Personal Data), Part 2, Substantial Public Interest Conditions
This condition is met if the processing:
- can reasonably be carried out without the consent of the data subject
- is necessary for reasons of substantial public interest.
1. This condition is met if the processing is:
a. necessary for the purposes of:
1.protecting an individual from neglect or physical, mental or emotional harm, or
2. protecting the physical, mental or emotional well-being of an individual,
b. the individual is:
1. aged under 18, or
2. aged 18 or over and at risk,
c. the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and
d. the processing is necessary for reasons of substantial public interest.
2. The reasons mentioned in sub-paragraph (1)(c) are:
a. in the circumstances, consent to the processing cannot be given by the data subject
b. in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing.
3. For the purposes of this paragraph, an individual aged 18 or over is 'at risk' if the controller has reasonable cause to suspect that the individual:
a. has needs for care and support,
b. is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
c. as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it.
You have several rights with respect to your personal data and these remain all intact during the current coronavirus pandemic. Any requests regarding your rights should be submitted to the Data Protection Officer. There may be a delay in responding fully to all requests within one calendar month, but we will strive to keep requestors updated with the progress of their request.
For any questions regarding the above, please contact us at: firstname.lastname@example.org or telephone: 01284 757173.