Coronavirus (COVID-19) pandemic privacy notice
This privacy notice explains how BCP Council will use your personal data in order to meet the unprecedented challenges of the COVID-19 pandemic, while supporting the community and providing essential services to those most in need.
Please read this privacy notice together with the Council’s general privacy notice which contains more detailed information about our data processing.
The Council and our partner agencies are committed to protecting your privacy. We will only process personal data that we need and we will use anonymised data where this is practicable. We will only retain your data for as long as is required to provide support because of the COVID-19 pandemic, after which we will securely destroy it, unless we are required by law to keep it for a longer period.
Important information and who we are
BCP Council is the data controller and is responsible for your personal data.
We have appointed a data protection officer (DPO). If you have any questions about this privacy notice or our data protection practices, please contact the DPO.
The Data Protection Officer role for BCP Council is held by the:
Contracts, Commercial and Information Governance.
If you have any queries or concerns about how your personal information please contact us using our general enquiries form or by writing or visiting us at:
How we collect personal data from you
We may collect personal data from you when you visit BCP Council’s websites, speak to us on the telephone, contact us in writing, by email or any other type of electronic communication, or talk to us face to face.
The personal data we collect about you
We may collect, use, store and transfer some or all of the following personal data, which may include special category (sensitive) data:
- Basic personal information, e.g. your name, address and date of birth
- Email address
- National identifier such as NHS number, National Insurance Number, etc.
- Information about your family
- Details about your lifestyle and social circumstances
- Physical and mental health details
- Social care support outcomes
Why we may use your personal data
We may use your personal data in order to:
- Manage public health risks
- Understand how COVID-19 behaves
- Control the spread of infection
- Provide support and health protection
- Prevent illness
- Monitor public safety
- Assess the availability and capacity of health and social care services
- Identify and safeguard individuals who are high risk and vulnerable
- Provide information to the public, partner agencies and central Government about COVID-19
- Collaborate with partner agencies, so that essential service provision is identified and supported
- Conduct research and emergency planning
How we share your personal data
Apart from personal data which we may collect directly from you, we may also obtain personal data from, and share it, with:
- Internal departments of the Council
- Our partner agencies, which include:
- other local authorities
- health service providers
- care providers, e.g. day, domiciliary or residential care
- police and probation services
- partners who are commissioned to provide services on behalf of the Council
- housing associations
- Volunteers and other support groups
- Family, relatives and carers
- Members of the public who contact us
- Central government agencies
This list is not exhaustive, but the Council will only share personal data where we are permitted to do so by law.
Lawful processing basis
The General Data Protection Regulation requires specific conditions to be met to ensure that the processing of personal data is lawful. These relevant conditions are below:
- Article 6(1)(d) GDPR – processing is necessary in order to protect the vital interests of the data subject or another natural person.
- Recital 46 adds that “some processing may serve both important grounds of public interest and the vital interests of the data subject as for instance when processing is necessary for humanitarian purposes, including for monitoring epidemics and their spread”.
- Article 6(1)(e) GDPR – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.
The processing of special categories of personal data, which include data concerning a person’s health, are prohibited unless specific further conditions can be met. These further relevant conditions are below:
- Article 9(2)(i) GDPR – processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health.
- Article 9(2)(g) GDPR - processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
- Article 9(2)(c) GDPR – processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent
If there is a significant threat to public health, e.g. an outbreak of an infectious disease, the Council has the legal right to use identifiable data under section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.
Moreover, BCP Council has statutory responsibilities and duties as a Category 1 Emergency Responder as set out in the Civil Contingencies Act (CCA) 2004. As such the Council is obliged to respond to and recover from major incidents in Bournemouth, Christchurch and Poole. The statutory duties placed on the Council as a Category 1 responder include the anticipation and assessment of risks, production of plans for the purpose of controlling and/or mitigating the impact of emergency incidents and business disruptions as well as effectively responding to, and recovering from, an emergency. The processing of personal data is necessary for compliance with the statutory requirements of the Civil Contingencies Act 2004.
If you register to volunteer to help the Council provide services, our lawful basis under GDPR is:
- explicit consent – Articles 6(1)(a) and 9(2)(a).
You can withdraw your consent at any time. Please contact or talk to the officer in the Council who has been providing the service or services. If you do not have an officer that you have regular contact with, please make your request to withdraw consent to our Customer Services team.
Remember to tell us which service or services your request applies to, so that we know who to send it to within the Council
Most of your personal data is stored on systems in the UK, but there may be some occasions where your personal data leaves the UK. This may be because it is stored in a system outside of the European Economic Area (EEA). More detail can be found in the Council’s general privacy notice.
Your legal rights
Under certain circumstances, you have rights under data protection laws in relation to your personal data including the right to receive a copy of the personal data we hold about you and the right to make a complaint at any time to the Information Commissioner's Office, the UK supervisory authority for data protection issues (www.ico.org.uk). More detail can be found in the Council’s general privacy notice.
NHS Test and Trace
In order to assist the NHS’s Test and Trace service, the Council is maintaining a temporary record of our visitors. This information will be shared with the NHS if needed, in order to help contain clusters and outbreaks during the coronavirus pandemic.
The information we will collect about you is as follows:
- Your name
- A contact telephone number
- The date of your visit, arrival time, and departure time
- Any staff member that you’ve interacted with.
If we do not have this data already on our systems, you will be asked to provide it.
This data will be held for 21 days, at which point it will be securely disposed of and deleted. If you prefer that we didn’t share this data with the NHS, you can opt-out. If you wish to do so, please notify a member of staff during your visit, or contact the Council's Data Protection Officer.
Do I have to provide the information?
The Department for Health and Social Care are clear that this is a voluntary scheme and nobody visiting our premises is required to provide their details. If you do not want any booking details you have supplied to be used for Test and Trace purposes please make this clear to a member of staff at the time of your visit
Although this is a voluntary scheme we strongly encourage our customers and visitors to share their details in order to support NHS Test and Trace - this information will only be used where necessary to help stop the spread of COVID-19.
The accuracy of the information provided will be the responsibility of the individual who provides it. The Council will not verify any visitor’s identity for NHS Test and Trace purposes.
If you are looking for more information on how we process your personal data, including on data security and data retention please access the Council’s general privacy notice.