Cheshire East Public Health Team - Privacy notice

What personal information is being processed and what for

The Cheshire East Public Health Team has a duty to protect and improve the health of the residents of Cheshire East. The team focuses on preventing ill health and to do this it needs to understand how, why, where and when ill health occurs.

Our Public Health team uses personal identifiable information (this means data which relate to a living individual, who can be identified from the data or from that data and other information held by the data controller i.e., it can be linked to become identifiable) about residents and users of health care.

The key functions of the team are: 

  • Control of infectious diseases
  • Specialist public health advice to NHS partners e.g., integrated care board(s) (ICBs)
  • Organising the National Child Measurement Programme (NCMP)
  • Organising the NHS Health Checks programme
  • Organising the health services for 0-19 year olds, including health visiting and school nursing

The Public Health team also uses the information to derive data and intelligence for research and planning purposes, which include: -

  • Producing assessments of the health and care needs of our populations, particularly our statutory responsibility to produce: -
  • Joint Strategic Needs Assessment (JSNA)
  • Director of Public Health Annual Report
  • Health and Wellbeing Strategy
  • Identifying priorities for action
  • Informing decisions on (for example) the design and commissioning of services
  • Assessing the performance of the local health and care system, evaluate and develop them.
  • Reporting summary statistics to national organisations
  • Undertaking equity analysis of trends, particularly for vulnerable groups
  • Supporting clinical audits

Most of the data analysis is undertaken by the Public Health Intelligence Team, but other members of the Public Health Team may occasionally process non-identifiable data for commissioning or health improvement. The public health team may collect identifiable data directly to provide a service (primary use of data) or the identifiable data may be shared with it by another organisation (secondary use of data).

In secondary use of data, the data is used in such a way that individuals cannot be identified, and personal identifiers are removed as soon as possible in the processing of data.  There is a clear separation between those people nominated to process the data and those that use the data for secondary analysis.  Data is often anonymised or pseudonymised.  Anonymised data has all personal identifiers removed such that they cannot be replaced.  When data is pseudonymised the identifiers are replaced either with an alternative identifier, so a unique code instead of an  NHS number, or with an aggregated field, such as an age band or geographic code.  Pseudonymised data can be re-identified with access to the source file.

The Team receives the following data sets which are classed as identifiable under  GDPR from other organisations:

  • Public Health Births File
  • NCMP Data
  • The Public Health Mortality File (PCMD) – The PCMD relates to deceased individuals but contains some identifiable information about living persons in relation to death certification (Medical professionals and Coroners)

Why we are allowed to use your information

The Public Health team have a legal status allowing the processing of Personal Confidential Data for certain Public Health purposes. The use of such data will be restricted so that the principles contained in the Data Protection Act 2018 and General Data Protection Regulation Articles 6 and 9 (2018) are fully adhered to. The legal basis is: -

  • we have a legal obligation (GDPR Article 6 (c)
  • we need it to perform a public task (GDPR Article 6 (e)

When we collect data about your race, health (including biometric or genetic data), sex life, sexual orientation, ethnic origin, we also rely on the following lawful basis:

  • we need to collect it for Substantial Public Interest to comply with UK legislation (GDPR Article 9 (2) (g)
  • we are providing you with health and social care support (GDPR Article 9 (2) (h))
  • we need to collect it for public health (GDPR Article 9 (2) (i)
  • we need to analyse your information (GDPR Article 9 (2) (j))

The legislation we rely on when using your personal information to meet our legal obligations or public tasks includes but is not limited to:

  • Statistics and Registration Service Act (2007), section 42 (4)
  • Health and Social Care Act (2012), section 287
  • Health Service (Control of Patient Information) Regulations 2002, regulation 3
  • Equality Act

More detailed information regarding individual personal or sensitive data held by the Public Health Team and the legal basis for collecting, holding, and processing, is recorded on the Information Assets Register:

Information Asset Register (

Local authorities have a legal duty to collect the NCMP data under The Local Authority (Public Health, Health and Wellbeing Boards and Health Scrutiny) Regulations 2013. They do this by following guidance from the Office for Health Improvement and Disparities part of the Department of Health and Social Care (DHSC). Local authorities are responsible for making decisions on how the data is collected and for making sure it is protected.

Who we will share your information with

Confidential public health data will only be shared with other areas of the NHS, local authorities or care organisations with the permission of the Caldicott Guardian, once the necessary legal basis has been established and data protection safeguards have been verified, so that the data is managed and used under the same restrictions. Anyone who receives information from Cheshire East Council Public Health is also under a legal duty to keep it confidential.

The public health team will only publish and share data which has been aggregated (grouped).  We will routinely suppress (hide) or round small numbers and ensure that such figures cannot be obtained by adding and subtracting other figures to work out the missing one. We will not link records in different datasets e.g. hospital and mortality files, unless we have been given express permission by ONS and NHS England (formally NHS Digital) to do so.

Under the terms of our agreement with ONS, we may not share data which identifies or may potentially identify an individual, living, or dead. This agreement is enforceable by law.

Identifiable information will only be shared with other organisations where we have a legal duty to do this for safeguarding, to protect the health of an individual or group, or for criminal proceedings.

Where we get your information from

The information is collected in two ways:

1. It may be given to us directly by a member of the public when they sign up to use a service we are providing.

2. It may be shared with us by another organisation due to us being part of a service they are providing, or as part of research and intelligence necessary for Public Health functions, such as informing decisions on the design and commissioning of services. This will include organisation such as Office for National Statistics, NHS England (formally NHS Digital), national and local NHS bodies and Clinical Commissioning Group, local authorities, and schools.

NCMP data is collected by school nurses and transferred to NHS England (formally NHS Digital) via the NCMP data portal. Authorised individuals have access to this child identifiable information on the portal. We do some quality checks on data before submitted and later receive identifiable and sensitive cleaned data from NHS England (formally NHS Digital), which is used for statistical purposes

How long we will keep your personal information

We will only keep hold of your personal information for as long as necessary. This will depend on what the specific information is and the agreed time. Some retention periods are specified by the organisations who have shared the data with us. You can see details of our retention guidelines on our information asset register. Data will be disposed of permanently after the specified period.

Please see the Information Assets Register:

How your information is stored

We comply with the Data Protection Act to ensure information is managed securely. This is reviewed every year as part of our Data Security and Protection Toolkit assessment.

All identifiable, pseudonymised and sensitive datasets are stored electronically on secure servers The number of staff accessing and handling such data is limited to only those key professionals named on relevant signed information sharing agreements (where applicable), all who undertake regular training about data protection and managing personal information

What happens if you don’t provide us with your information

You have the right to opt out of Cheshire East Council Public Health receiving or holding your personal identifiable information. The process for opting out will depend on the specific data is and what programme it relates to. As such please inform the person to whom you are asked to provide your data that you want to opt out

Will your information be used to make automated decisions


Will this information be transferred abroad


Your rights

Under data protection law, you have rights including:

  • your right of access - you have the right to ask us for copies of your personal information.
  • your right to rectification - you have the right to ask us to rectify information you think is inaccurate. You also have the right to ask us to complete information you think is incomplete.
  • your right to erasure - you have the right to ask us to erase your personal information in certain circumstances.
  • your right to restriction of processing - you have the right to ask us to restrict the processing of your information in certain circumstances.
  • your right to object to processing - you have the right to object to the processing of your personal data in certain circumstances.
  • your right to data portability - you have the right to ask that we transfer the information you gave us to another organisation, or to you, in certain circumstances.

Data Controller

Cheshire East Council
c/o Municipal Buildings, Earle Street, Crewe, Cheshire CW1 2BJ

Data Protection Officer

1st Floor, Westfields
c/o Municipal Buildings, Earle Street, Crewe, Cheshire CW1 2BJ

You also have the right to complain to the Information Commissioner’s Office using the following details:

Page last reviewed: 22 February 2024