Public Health privacy notice

As a local authority we have a duty to improve the health of the population we serve in Surrey. This duty is outlined in the Health and Social Care Act 2012 and further specified in the Conditions and Mandates of the Ring Fenced funding Grant issued to Public Health services. To help us do this, we process data and information from a range of sources across the Health and Social Care system and Governmental Bodies. This includes the Office for National Statistics (ONS), Public Health England, NHS-England, NHS Digital, local Clinical Commissioning Groups (CCGs), GPs and hospitals.

The access to and use of this information allows us to understand more about disease and ill health in Surrey and to support our legal public health functions and this notice advises you further on this.

In all cases the legal basis for the use of this information is derived from the statutory functions listed and subsequently falls with the GDPR article conditions below:

  • 6(1)(c) '…necessary for compliance with a legal obligation…' and:
  • 9(2)(j) ' …necessary for reasons of public interest in the area of public health…or ensuring high standards of quality and safety of health care and of medicinal products or medical devices…'

Types of information we use

We work with many types of data to be able to promote health and support improvements in the delivery of health and care services in Surrey. We can describe the data as follows:
1. Identifiable data – this is personal data that can identify individuals, such as name, date of birth, gender, address, postcode and NHS number.
2. Pseudonymised data – this contains information about individuals but with the identifiable details replaced with a unique code.
3. Anonymised data – All identifying details are anonymised so individuals can not be identified.
4. Aggregated data – This is data that has been grouped together so that it doesn't provide information on individuals, only groups of people.

Surrey Civil Registration Data

We receive data on Deaths within Surrey from the Surrey Civil Registration Office. This includes details of the deceased along with the cause of death. The data has been used to plan for demands on services, support public health analyses arising from Covid-19 and to remove names from our "Shielded" list. This data will continue to be extracted and used for various health surveillance programmes, modelling and forecasting purposes in the future.

According to the Registration Handbook B12, there is a statutory duty for Registrars to provide the data returns to the director of public health or nominated representative within the local authority. The legal basis is given in Section 269(2) of the National Health Service Act 2006 (as amended by the Health and Social Care Act 2012). The National Health Service and Public Health (Functions and Miscellaneous Provisions) Regulations 2013 place a duty on each registrar of births and deaths in England to furnish to the following health organisations particulars of every birth, still-birth and death registered in his/her sub-district.

Articles 6 and 9 of the General Data Protection Regulation (GDPR) provide a gateway in the legislation for sharing where the processing is '…necessary for the performance of a task carried out in the public interest or in the exercise of official authority' and for '…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…' respectively.

Further, sections 8 through 11 of the DPA2018 clearly codify the lawful basis for processing personal data and special categories of personal data as stated in Article 6 and 9 of the GDPR.

National Child Measurement Programme (NCMP)

The National Child Measurement Programme (NCMP) is a nationally mandated public health programme. Data is collated through school nurses/NHS Community Services who visit schools across Surrey and record the height & weight of children in Reception Year and Year 6 of Primary schools. This data is used for the child excess weight indicators in the Public Health Outcomes Framework, and is part of the government's approach to tackling child obesity.

Public Health England provides strategic leadership and support for this programme, and local authorities deliver it. Data is uploaded to an NHS Digital web tool (NCMP Data Collection System ) and processed for PH England before results are returned to the Local Authority.

Parents receive letters/emails if a child is considered underweight/overweight or if results are specifically requested by the parents.

Articles 6 and 9 of the GDPR provide a gateway in the legislation for sharing where the processing is '…necessary for the performance of a task carried out in the public interest or in the exercise of official authority' and for '…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…' respectively.

Further, sections 8 through 11 of the DPA2018 clearly codify the lawful basis for processing personal data and special categories of personal data as stated in Article 6 and 9 of the GDPR.

As the Public Health function is set out in statute and funded to protect and improve health, the programmes commissioned in support of this objective fall within the listed GDPR criteria. Further information on lawful processing in this arena, is available from NHS Digital.

Details of Data we receive from NHS Digital

We receive the following data from NHS Digital (previously the Health and Social Care Information Centre) which is supplied to us under a Data Sharing Agreement (DSA). The terms of this agreement stipulate that data are supplied to us in accordance with section 42(4) of the Statistics and Registration Service Act 2007 as amended by section 287 and s261(5)(d) of the Health and Social Care Act 2012, and Regulation 3 of the Health Service (Control of Patient Information) Regulations 2002. The latter stipulates that the data can only be used for statistical analyses carried out by Public Health Analysts for Public Health purposes.

The legal basis for processing the data is covered by Article 9 (2) (h) and Article 6 (1) (e) of the GDPR. This data is only supplied to us by NHS Digital under strict license and data disclosure controls:

1. Hospital Episode Statistics (HES) – Pseudonymised records about health care and treatment of patients within any English hospital. This contains data collected when someone is admitted to a hospital bed, treated as a day patient, attends as an outpatient, or attends an urgent care centre (such as an Accident & Emergency department). This data includes the patient's age, method of admission, source of admission, diagnosis codes, procedure and investigation codes, area of residence, hospital attended, date of attendance, and GP practice of patient.
2. Primary Care Mortality Database (PCMD) – The PCMD provides us with access to identifiable mortality data which is based on death registrations. The data includes the address, postcode of residence of the deceased, postcode of the place of death, NHS number, date of birth, date of death, name of certifier, and cause of death but not names. Our access is limited to those deaths which occurred within Surrey's borders, deaths to Surrey residents and deaths in the registered population of GP Practices within Surrey's Clinical Commissioning Groups. The access to this database is via a secure internet connection (referred to as the NHS N3 Connection).
3. Births data tables – This dataset provides us with access to identifiable data about the number of births that occur within Surrey (Surrey County Council and Surrey's Clinical Commissioning Groups boundaries). It includes the address of usual residence of the mother, place of birth, postcode of usual residence of the mother, postcode of place of birth of the child, NHS number of the child and the date of birth of the child but no names.
4. Vital statistics tables – This dataset is aggregated together so that it does not identify individuals. It contains data on live and still births, fertility rates, maternity statistics, death registrations and cause of death analysis within Surrey (Surrey County Council and Surrey's Clinical Commissioning Groups boundaries).

Who uses this information?

Access to the NHS Digital data is restricted to the Public Health Intelligence and Insight Team (PHIIT) in Surrey County Council's Public Health Team. Staff members are trained to be aware of data protection standards and to observe the guidelines relating to this data (e.g. Hospital Episode Statistics Guidelines HES Guidelines or Office of National Statistics Disclosure Guidance).

What do we do with this information?

The PHIIT use this information for statistical analyses to measure the health, mortality or care needs of the population; to identify risks to the public's health and opportunities to improve the public's health, and to inform the planning, evaluation and targeting of health, care and public health services.

These analyses allow the Public Health Team to produce needs assessments which provide expert advice and intelligence for local commissioners to make effective decisions on how they spend funding for local services. These assessments can focus on a specific topic like falls or more general assessments of local health like the CCG Health Profiles. We contribute, alongside colleagues from within the council and other local partners, to the Joint Strategic Needs Assessment, which identifies the current and future health and social care needs of Surrey's population and analyses whether needs are being met locally. Analyses produced are also used within the Director of Public Health's Annual Public Health Report, and the pharmaceutical needs assessment – see Surrey's local information portal for more information on these publications (Surrey-i).

The Office for National Statistics (ONS) Birth data is used specifically to identify trends and variations in birth rates, low birth weight and still births, to inform the planning and targeting of health, care and public health services. Mortality data is used to monitor trends in the number of deaths, estimating death rates, providing input around place of death for end of Life Care analyses, monitoring child deaths, monitoring seasonal patterns of death and calculating excess winter deaths, reviewing life expectancy and premature deaths and variations by geographic areas, age, sex and other characteristics.

The HES data is used for monitoring population health in the county, and to inform the planning and commissioning of health services. This includes providing public health advice and support to local NHS commissioners, to monitor demand and variation in access to health care services along with health outcomes.

No person-identifiable information is published, and numbers and rates in published reports based on counts fewer than five are removed to further protect confidentiality and anonymity.

How is my data kept safe and secure?

All the data we process and hold is kept safely and securely within our IT systems. When not in use, our Primary Care Mortality Database PCMD data is encrypted (to AES standard 256 level). We do not disclose any data to a third party who is not identified on our license agreement with NHS Digital. Any data requests received from a third party will only receive anonymised and/or aggregated data to a level that complies with the Office of National Statistics Disclosure Guidance or with the HES Guidelines and meets legal requirements.

How can I opt out of the Public Health datasets?

You have the right to opt-out of the Surrey County Council Public Health Intelligence Team receiving or processing your personal identifiable information. There are occasions where service providers will have a legal duty to share information, for example for safeguarding or criminal issues. The process for opting out will depend on what the specific data is and what programme it relates to.

If you have any questions about our use of these data, wish to request a copy of the information we hold about you, or if you wish to discuss your rights in relation to opting-out from these processes, please contact the Public Health Intelligence and Insight Team.

For independent advice about the use of your data

If you have concerns about the use of your personal data, the Information Commissioners Office is an independent body set up to uphold information rights in the UK. They can be contacted through their website:, through their helpline (0303 123 1113) and in writing at their head office: Information Commissioner's Office, Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Access to your personal information

To make a request for personal information, fill in the access form. If you want to know more about how we handle data at Surrey County Council please read our Access to Information pages.

For further information on our privacy notices, please see information and privacy.

Contacting the Public Health Intelligence and Insight Team

By Telephone on 0208 213 2634

By email:

By post to: Public Health Intelligence & Insight Team, Surrey County Council, Woodhatch Place, 11 Cockshot Hill, Reigate, Surrey, RH2 8EF