Public Health privacy notice

Who we are

Croydon’s Public Health Team has a duty to improve the health of our local population.

To help us do this, we use data and information from a range of sources including the Office for National Statistics, NHS Digital, GP practices, clinical commissioning groups, pharmacies, hospitals and commissioned services to understand more about the nature and causes of disease and ill health and the health and care needs in our local population.

This information can contain personal data.

What information we collect

To fulfil its duties, the Public Health Team collects a variety of data including;

  • information collected at the registration of a birth or death
  • Information on the provision of public health services including immunisations, drug and alcohol treatment services, sexual health services, 0-5 health services, school nursing services, health improvement services and other public health initiatives
  • information about lifestyles and behaviours collected through population surveys
  • information regarding the prevalence of disease, including cancer registrations
  • information about health and social care use, including GP services, hospital services, pharmacy services, NHS community services, mental health services and social care services

Whilst much of this information is collected at a whole population level, some of the data provided is at an individual level. Information that relates to an identifiable living individual who can be either identified from that data or identified from the information combined with any other information that is in the possession of, or is likely to come into the possession of the person or organisation holding the information, is personal data.

Some personal data is shared with us, often under specific data access agreements. Standard information that is used to identify you will be NHS Number, name, date of birth and postcode.

How and why we use this information

How we collect it

This information is provided to the Public Health Team either directly from the public or by national and local NHS organisations, NHS Digital and local authority services and organisations. The information is shared with us in accordance with the principles outlined within the data protection legislation.

Why we collect it

From 1 April 2013, the Health and Social Care Act 2012 gave local authorities the power to perform public health functions. This means that Croydon Council has "a duty to improve the health of the people and responsibility for commissioning appropriate public health services".

Croydon Council collects and processes an amount of information that is necessary for us to deliver those responsibilities. Any personal data we hold is collected and processed in accordance with the requirements of the Data Protection Act 2018.

How we use it

The Croydon Council Public Health Team will access health and related information to analyse the health needs and outcomes of the local population, monitor trends and patterns of disease and the associated risk factors.

Examples of what this analysis informs include:

  • statutory responsibilities of the Joint Strategic Needs Assessment (JSNA), the local Health and Wellbeing Strategy and the Director of Public Health Annual Report
  • informing commissioning and design/delivery of services
  • health equity analyses
  • clinical audits
  • identifying and tackling inequalities
  • identifying priorities for action
  • public health surveillance
  • evaluation of performance of the local health and care system
  • health protection and other partnership activities

No personally identifiable information is published, and numbers and rates in published reports based on counts of fewer than five are removed to further protect confidentiality and anonymity.

The legal basis for this

The local authority has a legal status allowing the processing of personal confidential data for certain public health purposes under Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002.

The legal basis for the flow of data for the above purposes is set out in Section 42(4) of the Statistics and Registration Service Act (2007) as amended by section 287 of the Health and Social Care Act (2012).

The legal basis as set out in the GDPR for lawfulness of processing will be as set out in Article 6(1)(e): “processing is necessary to perform our public tasks.”

The legal basis for processing of special categories of personal data will be as set out in Article 9(2)(h): “processing is necessary for the purposes of preventative or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member state law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3 of the GDPR"

How we keep your information safe and secure

We are required to comply with the Data Protection Act (1998) to ensure information is managed securely and this is reviewed annually as part of our NHS Information Governance Toolkit assessment.

Information is strictly made available via secure transfer only to key professionals who have a clear and legal need to see it. All staff are required to undertake regular training and comply with policies and procedures around data protection, information security, confidentiality and the safe handling of information. The data are used in such a way that personal identifiable details are removed as soon as possible in the process of intelligence.

All data is stored securely will not be held longer than required based on the relevant retention policy.

Personal identifiable data will not be disclosed to anyone other than those processing the data for the above purposes without permission, unless we have a legal reason to do so, for example disclosure is necessary to protect a person from suffering significant harm or necessary for crime prevention or detection purposes.

Further information

The GDPR and Data Protection Act 2018 give you a number of rights to control what personal information is used by us and how it is used by us. Information about your individual data rights is listed in the Council’s corporate privacy notice on our website at

If you have any questions or concerns about the way we collect, store or use your personal information, please contact us in the first instance on 020 8726 6000.

For advice about data protection issues, you can contact the Information Commissioner’s Office (ICO) at

We reserve the right to amend this privacy notice at any time and will keep it under review. If we do make any changes, we will post the current version to our website at this address.

Last updated: April 2023