Welcome to sthelens.gov.uk

Best place to find information and services that your council provides...

St Helens Borough Council COVID-19 Response Privacy Notice

This privacy notice explains how we will collect, use and protect personal data specifically with regard to the Coronavirus (COVID-19) pandemic.

You may have provided personal information to us for a specific reason and normally, we would notify you if your information was being used for a different purpose. However, due to the COVID-19 situation, this will not always be possible.

If we already hold information regarding your vulnerability as defined in the current guidance from the Government and Public Health England, we may share this information with services both internal and/or external to us, for emergency planning purposes and/or to protect your vital interests.

The local authority receives data from Cabinet Office and St Helens Clinical Commissioning Group on individuals needing support, where they have been identified as vulnerable in relation to the COVID-19 virus. This support provided by the local authority will depend on needs identified by the user, and may include provisions of food, medicine, medical, health and/or mental health support. This will be in cases where individuals are not able to access these directly due to the person being at higher risk.

We are working together with Merseyside and Cheshire (CIPHA) in order to understand and manage regional risk factors, allowing for improved planning and resource management across the region. This involves sharing of some adult and children’s social care records on a regional level. Access to detailed records remains on a local level, regional data will be presented as anonymous.

We may need to ask you for personal information, including sensitive personal information that you have not already supplied - for example, your age or if you have any underlying illnesses or are vulnerable. This is so we can assist you and prioritise our services.

If we have information indicating that you are vulnerable, we may contact you to ensure your safety and to assist you where possible.

If you are a volunteer, we use your personal information to enable us to communicate with you in order to provide St Helens Together. If you are using St Helens Together, we use your data to enable our volunteers to support you during the COVID-19 pandemic and to keep you in contact with vital services.

In order to contain clusters or outbreaks of Covid-19 and to assist NHS Test and Trace, if you (customer, visitor or staff) are accessing one of our buildings e.g. Leisure Centre, Library, Children’s Centres etc. we will ask you for specific information that has been set out in government guidance. You can now download the test and trace ap to allow you to “check in” to our venues via the displayed QR barcodes.

NHS Test and Trace will ask for these records only where it is necessary, either because someone who has tested positive for COVID-19 has listed our premises as a place they visited recently, or because our premises have been identified as the location of a potential local outbreak of COVID-19.

Our Public Health department receive data from Public Health England to support the local test and trace service, both within the council, and as part of a Cheshire and Merseyside hub. This used to identify people with new diagnoses in order to measure spread of the virus, inform outbreak management and reduce disease transmission. This also supports work on healthcare demand with the NHS. Public Health England also provide information on people receiving a test and on the contacts of people with a positive diagnosis to further improve our local intelligence of the pandemic.

Processing activity

We may process personal information relating to:

  • St Helens Together
  • CIPHA
  • Communications from us to you, to help us match requests for volunteer support with people in our community able to help
  • Records of visitors
  • Monitoring and planning
  • Coronavirus testing and contact tracing
  • Support for vulnerable people

Information requirements 

Our processing activities may include:

  • Name
  • Address
  • Contact details (email and telephone number)
  • Date of birth
  • Medical history and GP contact details, including NHS number
  • Health indicators (mental health status, physical activity status)
  • Names and contact details for members of your family and support network
  • Information about your support needs
  • Unique IDs
  • Access to Council buildings

NHS Test and Trace

in relation to customers and visitors, we will record:

  • the name of the customer or visitor. If there is more than one person, we will record the name of the ‘lead group member’ and the number of people in the group;
  • a contact phone number for each customer, visitor or ‘lead group member’;
  • date of visit, arrival time and where possible, departure time for each customer, visitor and ‘lead group member’;
  • if a customer, visitor or ‘lead group member’ interacts with a member of staff, the name of the staff member will be recorded alongside that of the customer, visitor or ‘lead group member’.

In relation to staff, we will record:

  • the names of staff who work at the premises;
  • a contact phone number for each member of staff;
  • the dates and times that staff are at work.

If you are using the track and trace app then you can record your attendance by scanning our venue QR codes instead of providing us with this information directly, however you must do one or the other.

Lawful bases

Our lawful bases for processing your personal information are:

  • where processing is necessary in order for compliance with a legal obligation (Article 6 (1) (c) GDPR);
  • where processing is necessary in order to protect the vital interests of yourself or another person (Article 6(1)(d) and 9(2)(c) GDPR);
  • where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in us (Article 6(1)(e) GDPR), pursuant to the:
  1. Local Government (Miscellaneous Provisions) Act 1976 - recreational facilities
  2. Public Libraries and Museums Act 1964  - maintenance of museums and galleries
  3. Health and Safety at Work etc. Act 1974  - employer’s general duties to staff and persons other than staff
  4. Health Service (Control of Patient Information) Regulations 2002 - includes dissemination of confidential patient information to persons and organisations permitted to process confidential patient information under Regulation 3(3) of the Control of Patient Information Notice (COPI) – as required for a Covid-19 purpose and  processed solely for that Covid-19 purpose in accordance with Regulation 7 of COPI
  5. Civil Contingencies Act 2004 and Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 – exercise of  functions in an emergency
  6. Health Protection (Coronavirus, Restrictions) (No. 2) (England) Regulations 2020 – enforcement (closure of premises and businesses during the emergency)
  7. Health Protection (Coronavirus, Restrictions) (England) (No. 3) Regulations 2020 – powers to restrict movement in relation to certain premises, events and open public spaces
  • where processing is necessary for the reasons of substantial public interest (Article 9(2)(g) GDPR).

Recital 46 of the GDPR states 'Some types of processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread...'

Reasons for processing

Some of the information that is collected and shared is classified as special category personal data (health indicators, mental health status, physical activity status). This is processed for reasons of substantial public interest under the laws that apply to us (see above) where this helps to meet our broader social obligations such as where it is necessary for us to fulfil our legal obligations and regulatory requirements during the COVID-19 pandemic.

Data sharing

We may receive from and share your personal information with and including:

  • Our service departments (where necessary and proportionate)
  • CIPHA including Adult Social Care and Health and Children’s Social Care
  • Central Government
  • Public Health England
  • General Practitioners, other medical practitioners
  • Emergency Services/First Responders
  • St Helens Together volunteers
  • Voluntary and charity sectors
  • Register of volunteers
  • St Helens CCG
  • St Helens and Knowsley Trust
  • Other stakeholders (where necessary and proportionate)
  • NHS Test and Trace

We aim to protect your privacy and confidentiality and will only share personal information where necessary to provide support.

We may rely on a number of exemptions, which allow us to share information without needing to comply with all the rights and obligations under the Data Protection Act 2018.

Retention period

We will hold your data for the duration of the COVID -19 pandemic and up to three (3) months following notification from Central Government that there is no longer a pandemic. Our NHS Test and Trace log will be maintained for 21 days.

Anonymisation

Your personal information may be converted ('anonymised') into statistical or aggregated data in such a way that ensures that you cannot be identified from it. Aggregated data cannot, by definition, be linked back to you as an individual and may be used to conduct research and analysis, including the preparation of statistics for use in our reports.

We will not sell your personal information to third parties.

Right to object

Where processing your personal information is required for the performance of a public interest task (see our lawful bases above), you have the right to object on ‘grounds relating to your particular situation’. We will have to demonstrate why it is appropriate for us to continue to use your personal data.

Changes to this Privacy Notice

We will review this Privacy Notice regularly and will place updates on our website.

Further information

See the Information Commissioner’s FAQs on data handling during the COVID-19 pandemic.

Other Data Subject Rights

You have the right to ask for a copy of all personal identifiable information that the Council holds about you.

You have the right to ask the Council to amend inaccurate information.

You have the right to complain to the Information Commissioners Office

Tel: 0303 123 1113

Online: https://ico.org.uk/

Post: Information Commissioner, Wycliffe House, Water Lane, Wilmslow, SK9 5AF

St Helens Borough Council have appointed a Data Protection Officer who can be contacted via dataprotection@sthelens.gov.uk if you have any concerns with how we process your data.

For more information about your rights as a data subject or to make a data subject request please see https://www.sthelens.gov.uk/council/data-protection-freedom-of-information/data-protection/ or email dataprotection@sthelens.gov.uk

Last updated 22nd September 2020