Bromley Council has a duty to improve the health of our residents. To help us do this, we use data and information from a range of sources including the Office for National Statistics, NHS Digital, Clinical Commissioning Groups and hospitals to understand more about the nature and causes of disease and ill health in Bromley.

This data can contain personal information.

What is personal information?

Personal information is data that relates to a living individual who can be either:

  • Identified from that data or
  • Identified from the information combined with any other information that is in the possession of or is likely to come into the possession of the person or organisation holding the information

Personal information includes expressions of opinion about an individual and any indications of intention in respect of the individual.

Basic personal data includes name, address, date of birth, telephone numbers, and/ or NHS number.

The Data Protection Act 2018 tailors how the EU General Data Protection Regulation (GDPR) 2016/679 applies in the UK. The Data Protection Act 2018 (DPA) also identifies “sensitive personal data”. Sensitive personal data includes racial or ethnic origin, offences or alleged offences, physical or mental health conditions and use of hospital services, religious beliefs, sexual orientation, biometrics and genetic data.

For further information on the DPA refer to the Information Commissioner’s website. For more information see our Data Protection Policy.

Why do we collect your personal information

Since April 2013, The Health and Social Care Act 2012 has given all local authorities the power to perform public health functions. This means that Bromley Council has “A duty to improve the health of the people and responsibility for commissioning appropriate public health services”. The statutory responsibilities for public health services are clearly set out in the Health and Social Care Act 2012.

Bromley Council collects and processes an appropriate amount of information that is necessary for us to deliver those responsibilities. Any personal information we hold is collected and processed in accordance with the requirements of the Data Protection Act 2018 and Caldicott Principles. Information will not be held for longer than required and will be disposed of securely once no longer needed.

You have the right to opt out of Bromley Council receiving or holding some of your personal identifiable information. There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues. The process for opting out will depend on the specific data and what programme it relates to. For further information, please contact the public health team by email at data.protection@bromley.gov.uk.

How do we use your personal data?

London Borough of Bromley Public Health team will access health and related information to analyse the health needs and outcomes of the local population and for monitoring trends and patterns of diseases and the associated risk factors.

London Borough of Bromley will have access to the following data:

  • Primary Care Mortality Database (PCMD) - The PCMD holds mortality data as provided at the time of registration of the death along with additional GP details, geographical indexing and coroner details where applicable.
  • Births and Vital Statistics datasets - Births files include date of birth, sex, birthweight, address, postcode, place of birth, stillbirth indicators and age of mother. Deaths data includes: deaths broken down by age, sex, area and cause of death sourced from the deaths register.
  • Hospital Episode Data (HES) - is a data warehouse containing details of all admissions, outpatient appointments and A&E attendances at NHS hospitals in England. This data is collected during a patient's time at hospital and is submitted to allow hospitals to be paid for the care they deliver. HES data is designed to enable secondary use, that is, use for non-clinical purposes, of this administrative data.

The council Public Health team is, however, committed to using pseudonymised or anonymised information as much as is practical, and in many cases this will be the default position. Pseudonymisation is a procedure by which the most identifying fields within a data record are replaced by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field. The purpose is to render the data record less identifying and therefore lower customer or patient objections to its use.

Anonymisation is the process of removing identifying particulars or details from (something, especially medical test results) for statistical or other purposes.

All the above mentioned information is accessed, processed and securely stored by public health staff and is used to carry out and/or support:

  • Health needs assessments
  • Health equity analysis
  • Commissioning and delivery of services to promote health and prevent ill health
  • Public health surveillance
  • Identifying and tackling inequalities
  • Joint Strategic Needs Assessment
  • Annual Public Health Report
  • Health protection and other partnership activities.

No personal-identifiable information is published, and numbers and rates in published reports based on counts of fewer than five are removed to further protect confidentiality and anonymity.

The legal basis for the flow of data for the above purposes is set out in Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012) and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

Lawfulness conditions and special categories of processing

The legal basis as set out in the GDPR for lawfulness of processing will be as set out in Article 6(1)(c):

“processing is necessary for compliance with a legal obligation to which the controller is subject.”

The legal basis for processing of special categories of personal data will be as set out in Article 9(2)(i):

“processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices,..”

Will this information be used to make automated decisions about you?

No.

Will your data be transferred abroad?

No.

Who do we share your information with?

This Information will not be disclosed or provided to anyone else or used for any other purpose than that for which it was originally obtained unless required by law.

Information which you have provided the council will be stored securely. It will be used for the purposes stated when the information was collated.

Public health staff will only carry out data linkage of the information supplied to other sources of data with prior agreement of NHS Digital.

How long will we keep this data for and why?

We only keep hold of information for as long as is necessary. This depends on what the specific information is and the agreed retention period. Data is disposed of permanently after this period, in line with the council’s Retention Policy/Schedule or the specific requirements of the organisation who has shared the data with us.

Your information rights

Under the data protection legislation you, as the data subject, have the right to:

  • Access the information we hold about you.
  • Request that we rectify any information about you that is incorrect. Simple inaccuracies, such as address changes will be made. Depending on the purpose for processing, records (including statements and opinions) may not be changed. However, there may be the option for you to provide a supplementary statement which can be added to our records.
  • Request that records we hold about you are erased.
  • Restrict processing of the information we hold about you if you have an objection to that processing, whilst your objection is investigated.
  • Request that any information that you have provided to us is given back to you in a format that you can give to another service provider if required.
  • Object to processing of your personal information including automated decision making and profiling.
  • Make a complaint to a supervisory authority if you are not satisfied with how the information held about you has been handled.

For further information and to access our information request form please see Subject Access Requests.