Toggle mobile menu visibility

Public Health privacy notice

This page provides information on how Norfolk County Council's Public Health Service (Public Health) uses your personal information to exercise our statutory public health functions.

By 'use' we mean the various ways your personal information may be processed including storing and sharing the information.

We act as a 'data controller'. This means that we collect and process information. We also follow the high information governance standards and instructions as set by NHS Digital.

Further details

We also provide further details regarding:

  • Who we are
  • How long we use your information for
  • Your rights under the GDPR and
  • How to exercise them

You can see this information in our general privacy notice on our website or you can ask us for a copy of this information.

The information we collect and use

The personal information about you we may collect and use may include basic details about you such as name, date of birth, gender, email address, postcode and NHS number.

For infants, we collect and use identifiable data about births, including the baby's NHS number, date of birth and residential address of the mother.

We also collect health information including any disabilities and medical conditions you may have, details of your appointments, clinic visits and information from other health professionals. Health information is classed as "special category data" under the GDPR.

What we use your personal information for

We use your personal information primarily to understand more about the health and care needs of the populations in our area. In particular, we use the data to measure the health, mortality, morbidity and care requirements of our population, allowing us to plan and deliver health and care services in a coordinated and efficient way.

As well as the functions outlined above, we use your personal information for the following purposes:

  • Evaluation of social prescribing to understand how social prescribing services can reduce demand in other areas of the health and social care system
  • Organising the National Child Measurement Programme via Cambridge Community Services
  • Organising the NHS Health Check Programme
  • Organising and supporting the Healthy Child Programme
  • Contract monitoring of adult weight management referral service to satisfy eligibility is met
  • Producing assessments of the health and care needs of the population to support the responsibilities of the Director of Public Health; Joint Strategic Needs Assessment, Director of Public Health Annual report and Health and Wellbeing Strategy
  • Informing decisions on, for example, the design and commissioning of services
  • Assessing the performance of the local health and care system and to evaluate and develop it
  • Reporting summary statistics to national organisations
  • Undertaking equity analysis of trends, particularly for vulnerable groups
  • Supporting clinical audits
  • Reporting to government agencies (UKHSA) about communicable diseases and other risks to public health

We also use this information to assess the quality of our services and evaluate and improve our policies and procedures. We may also use information in other ways compatible with the above.

The National Data Opt-Out: Confidential patient information is used to provide you with support and care and to organise the services you need. It may also be used for wider planning or research in health and social care. To find out more or to stop your confidential patient information being used for this, see our national data opt-out privacy notice.

In addition, we work with data that does not identify you personally to be able to promote health and support improvements in the delivery of health and care services in Norfolk. This includes processing of:

  • Pseudonymised data: this contains information about individuals but with the identifiable details replaced with a unique code
  • Anonymised data: all identifying details have been removed from this information
  • Aggregated data: information has been grouped together and anonymised

This includes:

  • Hospital Episode Statistics provided to us by NHS Digital. This is a data warehouse containing pseudonymised records of details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England. This data is collected during a patient's time at hospital and is submitted to allow hospitals to be paid for the care they deliver
  • Vital Statistics tables also provided to us by NHS Digital

Who provides this information

The personal information we hold includes information from the following sources:

  • NHS Digital: including Mortality Data and Births data tables
  • Cambridgeshire Community Services: to manage the contracts for the Healthy Child Programme and Sexual Health Service
  • East Coast Community Health: to manage the contract for the Stop Smoking Service
  • Change Grow Live (CGL): to manage the contract for the Drug and Alcohol Service
  • Slimming World: to manage the contract for the weight management referral service
  • Relevant teams within the County Council
  • Health bodies and providers including hospitals, mental health trust and community health and care trusts

How the law protects you and the legal basis for processing your information

We have legal grounds to process this personal information because it is necessary to comply with a legal duty or fulfil a public task under the Health and Social Care Act 2012, or the The Health Service (Control of Patient Information) Regulations 2002.

We also process personal information where it is necessary for the performance of a contract (e.g. lease, licence, service and maintenance contract).

We have legal grounds to process special category data where it is necessary

  • In the substantial public interest. This will include where it is necessary to carry out any of our statutory functions. The statutory function is set out above
  • For reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices

The GDPR includes safeguards to protect the use of your special category data. Further details can be found on our website in the document named 'Special category data and criminal offences data policy' which sets out our procedures for compliance with the principles of the GDPR and the retention and erasure of this information.

Who we share your information with

We may also share your personal information with other organisations and public bodies, in particular:

  • Public Health England
  • Police
  • Health bodies and providers including local GPs, hospitals, mental health trust and community health and care trust
  • Voluntary sector
  • Other local authorities
  • UK Health Security Agency (reporting communicable diseases and other risks to public health)

We share this information without your specific consent as it is reasonable and necessary to do so to fulfil our public tasks or it is otherwise in the substantial public interest to do so. The law imposes safeguards to protect your privacy in these circumstances.

We will also share your personal information, subject to contractual and other legal safeguards, with organisations contracted by NCC to provide a service to the council or directly to you. These service providers are known as data processors and have a legal obligation under GDPR and to NCC to look after your personal information and only use it for providing that service. These organisations include:

  • Healthy Child Programme - Cambridge Community Services
  • Sexual Health Services - Cambridge Community Services
  • Stop Smoking Service - East Coast Community Health Care
  • Drug and Alcohol Service - Change Grow Live
  • Wellbeing Support For men - MensCraft
  • Norfolk Slimming World on Referral - Slimming World.

We may also share your personal information across different departments of the NCC, where it is necessary for our public tasks or functions to do so.

We also share anonymised information with other organisations and public bodies including research partners.

Automated decision making

We do not make automated decisions about you and your family.

How we keep your information

The personal information is stored electronically, on the NCC's records management system. Additionally, information is securely stored in other mediums, including email accounts and in paper files. We do not process your information outside of the European Economic Area.


This notice was updated in March 2023.