COVID-19 privacy notice
This privacy notice is an addendum to the council’s main privacy notice. It explains how we are collecting and using personal data as part of our response to the COVID-19 (coronavirus) pandemic.
Who is responsible for your information?
Chesterfield Borough Council is the data controller for the personal information collected.
Purposes of processing
Supporting service provision
We may need to collect your personal information, or re-use information we already hold about you. This may include sensitive personal information, for example information about your health. This information will be used to prioritise our services and to support those most vulnerable. For some services, this information will also be used to inform risk assessments to ensure the health and safety of our staff and customers.
Statistics and reporting
The council may also use your personal information in order to manage and better understand the spread and impact of the outbreak of Covid-19. This may include using or sharing your data for statistical or reporting purposes. Data will always be anonymised where possible.
NHS Test and Trace
We are required to collect data for the COVID-19 Test and Trace service. We will ask you for basic contact details if you enter some of our premises and venues. Data will only be kept for this purpose for 21 days. This data will be shared with NHS Test and Trace if there is a local outbreak and NHS Test and Trace may then contact you to provide appropriate advice. For further information, please see the privacy notice from the Department for Health and Social Care. If you want to opt-out of this processing, please let a member of staff know.
If you visit us, your contact data may also be collected as part of other business processes. Please see the When you contact us privacy notice, or relevant service specific notice.
If you apply to us for the Self-Isolation Payment, we will need to process some personal information about you in order to administer the service, validate your application and provide the payment. This will include:
- name and contact details
- employer’s name and address
- NHS notification number (the unique reference you will be given by the NHS Test and Trace Service to self-isolate)
- bank account details
- national insurance number.
We will carry out checks with the NHS Test and Trace service and the Department for Work and Pensions (DWP), for verification purposes, Her Majesty’s Revenue and Customs (HMRC), for tax and National Insurance purposes, and potentially with your employer in validating your application.
Information relating to your application will also be sent to the Department for Health and Social Care (DHSC) to help understand public health implications, allow us to carry out anti-fraud checks and determine how well the scheme is performing.
We will provide information to HMRC in relation to any payments we make because Self-Isolation Payments are subject to tax and National Insurance contributions. If you are self-employed, you will need to declare the payment on your self-assessment tax return.
Lawful basis for processing your personal data
How we are processing your personal data will determine the legal basis for processing. The legal bases for processing by the council as a public authority will be:
- Where disclosure is in the vital interests of yourself or another person (Article 6(1)(d) and 9(2)(c) GDPR)
- Where processing is necessary for a public task carried out in the public interest (Article 6(1)(e) and Article 9(2)(g) GDPR)
- Where it is necessary for compliance with a legal obligation (Article 6(1)(c) GDPR)
- Where it is in the interest of public health (Article 9(2)(i) GDPR)
Most of what we will do with your personal data will be covered by existing powers in current laws.
The Department of Health and Social Care has served notice under Regulation 3(4) of the Health Service (Control of Patient Information) Regulations 2002 (COPI) to require local authorities to process confidential patient information for purposes set out in that legislation.
Other relevant legislation includes:
• The Civil Contingencies Act 2004 and The Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005
• Legislation directly related to the coronavirus pandemic
Other data sharing
We may share your personal information with other public authorities, emergency services, and other stakeholders where we consider it necessary and proportionate, or where we are legally required to do so. This includes, but is not limited to:
- Derbyshire County Council and other local authorities
- Central government departments and related agencies
- Her Majesty’s Revenue and Customs (HMRC)
- Public Health England
- NHS and healthcare organisations
- GP surgeries
- Community groups and volunteers where appropriate
Please get in touch if you would like more information about how the council processes your personal data:
• contact the council's data protection officer.