COVID-19 privacy notice
This privacy notice is an addendum to the council’s main privacy notice. It explains how we are collecting and using personal data as part of our response to the COVID-19 (coronavirus) pandemic.
Who is responsible for your information?
Chesterfield Borough Council is the data controller for the personal information collected.
Purposes of processing
Supporting service provision
We may need to collect your personal information, or re-use information we already hold about you. This may include sensitive personal information, for example information about your health. This information will be used to prioritise our services and to support those most vulnerable. For some services, this information will also be used to inform risk assessments to ensure the health and safety of our staff and customers.
Statistics and reporting
The council may also use your personal information in order to manage and better understand the spread and impact of the outbreak of Covid-19. This may include using or sharing your data for statistical or reporting purposes. Data will always be anonymised where possible.
NHS Test and Trace
We have been asked to assist with the COVID-19 Test and Trace service. We will ask you for basic contact details if you enter some of our buildings. Data will only be kept for this purpose for 21 days. This data will be shared with NHS Test and Trace if there is a local outbreak and NHS Test and Trace may then contact you to provide appropriate advice. For further information, please see the privacy notice from the Department for Health and Social Care. If you want to opt-out of this processing, please let a member of staff know.
If you visit us, your contact data may also be collected as part of other business processes. Please see the When you contact us privacy notice, or relevant service specific notice.
Lawful basis for processing your personal data
How we are processing your personal data will determine the legal basis for processing. The legal bases for processing by the council as a public authority will be:
- Where disclosure is in the vital interests of yourself or another person (Article 6(1)(d) and 9(2)(c) GDPR)
- Where processing is necessary for a public task carried out in the public interest (Article 6(1)(e) and Article 9(2)(g) GDPR)
- Where it is necessary for compliance with a legal obligation (Article 6(1)(c) GDPR)
- Where it is in the interest of public health (Article 9(2)(i) GDPR)
Most of what we will do with your personal data will be covered by existing powers in current laws.
The Department of Health and Social Care has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require local authorities to process confidential patient information for purposes set out in that legislation.
Other relevant legislation includes:
• The Civil Contingencies Act 2004 and The Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005
• Legislation directly related to the coronavirus pandemic
We may share your personal information with other public authorities, emergency services, and other stakeholders where we consider it necessary and proportionate to do so. This includes, but is not limited to:
- Derbyshire County Council and other local authorities
- Central government departments and related agencies
- Public Health England
- NHS and healthcare organisations
- GP surgeries
- Community groups and volunteers where appropriate
Where data has been collected from venues for test and trace purposes, it will be shared with NHS Test and Trace if required.
Please get in touch if you would like more information about how the council processes your personal data:
• contact the council's data protection officer.